Ethical hacking specialists from security firm ESET report the discovery of a misconfigured ElasticSearch implementation that has resulted in the internet exposure of nearly 2.5 million Colombian citizens. The compromised information includes names, email addresses, phone numbers and other personal details.
Reporting this security flaw was a titanic task for the firm’s experts, as it was difficult to immediately find those responsible for receiving the report, as well as the information was still being exposed. Apparently the reports have already reached the right people, so the information is already secured.
“This is a clear sign that companies do not consider information security comprehensively, but prefer to leave this step at the end,” ethical hacking experts say. Previously a similar data breach was filed in Ecuador, only on that occasion the incident affected most of the population throughout the country.
Experts say authorities in some countries, especially in Latin America, have failed to transform the media impact generated by these security incidents into better policies or updating technology implementations to prevent affectation on citizens. “Governments and private companies should at least try to learn from these vulnerabilities and try to correct them so they don’t show up in the future,” the experts added.
In addition, ethical hacking specialists claim that companies must weigh the security of information above the functionality of some applications and services, although in many cases this is not met. Previous cases, such as those in Ecuador and Brazil, or the most recent in Colombia, reveal the little interest that many companies lend to information security, also make known the inability of authorities and private companies to implement adequate recovery processes.
International Institute of Cyber Security (IICS) ethical hacking specialists believe that security standards set up or implemented by some companies have a negative impact on user safety, which as has been mentioned above, exposes people to data theft and other malicious activities.