Yet Another Company Failed to Secure Its Database, and 198 Million Car Buyers Were Exposed

Far too often, high cost is quoted as the main reason for failing to secure people's private data. When organizations suffer a cyberattack, they tend to say that they would have used the right tools and would have hired the right people if it wasn't so expensive.

On many occasions, however, companies don't need to spend millions in order to secure people's information. Often, avoiding some of the most basic mistakes is all that's needed. A recent data security incident involving a network of websites owned by DealerLeads confirms this.

Nearly 200 million car buyers have their data exposed

In August, Jeremiah Fowler of SecurityDiscovery.com discovered a database containing the names, emails, phone numbers, physical and IP addresses, and other identifiable information of a whopping 198 million people. At first, he struggled to find out who owned the 413GB dataset, but after some investigating, he realized that it belonged to DealerLeads. Initial reports by email went unanswered, but once he picked up the phone, the company sprang into action and took the necessary precautions to secure the data.

But how did DealerLeads collect all this information in the first place? And how did the data end up exposed?

DealerLeads' business model revolves around the buying and selling of new and old cars. The company doesn't actually trade any automobiles, though. Instead, it has a network of well-SEO'd websites attract large numbers of car buyers, and it redirects them to dealers who pay for the extra traffic and customers.

The information Jeremiah Fowler found was apparently collected while the potential car buyers were still on DealerLeads' websites. It's difficult to say how well-informed users were of the data collection, and it's also unclear what DealerLeads wanted to do with it. Whatever the purpose of the database, however, it wasn't protected as well as it should have been.

Another data breach caused by a basic configuration error

Unfortunately, we are once again talking about a massive database full of tons of sensitive information that was accessible to anyone with a browser. Once again, it was an ElasticSearch server that was exposed to the internet, and once again, it wasn't protected by a password.

It's the latest in a very long line of massive data exposure incidents that happened not because the cybercriminals were too clever or sophisticated, but because the companies responsible for protecting people's information didn't do what they needed to do.

We're not talking about expensive security solutions. We're talking about a lack of a fundamental understanding of the tools available and their protection mechanisms. It's the equivalent of putting all your sensitive data in a smartphone and leaving the device unattended and unlocked in a public place. The difference is that in the case of DealerLeads, close to 200 million people were affected. How worried should these 200 million people be?

The leaked data might have been accessed by cybercriminals

The database was taken offline on August 20, shortly after Jeremiah Fowler reported it. Nobody's saying for how long it was exposed, though, and although it's difficult to tell if Fowler was the first to discover it, the researcher himself admitted that he had seen it "several times" prior to his report. In other words, it won't be too surprising if it turns out that the data has already fallen into the wrong hands, which makes DealerLeads' reluctance to issue a public statement even stranger.

There's nothing official at the moment, and it's hard to say if the SEO business is contacting affected users individually. Whatever the case, the incident should not be underestimated.

There's enough identifiable information to cause quite a lot of harm in the real world, and the presence of IP addresses and other data in the misconfigured ElasticSearch installation opens the door for crime in the digital one as well. If you think that your data might have been exposed, you should be even more careful than usual.