Data protection specialists from security firm vpnMentor reported the detection of a data breach on a Romanian web platform, owned by tobacco company British American Tobacco; headquartered in the UK, this is one of the world’s largest manufacturers of tobacco and nicotine-based products.
The vpnMentor research team, led by renowned expert Noam Rotem, found the data breach on an unsecured server connected to YOUniverse(.)com, a domain that is part of a marketing campaign targeting over-18 tobacco users.
This platform collects some records of Romanian citizens who aspire to win tickets to events, parties and presentations by local and international artists. Although the laws in Romania prohibit almost any type of advertising related to tobacco consumption there are some exceptions, so it is possible for tobacco companies to run marketing campaigns aimed only at consumers over the age of 18.
By detecting the exposed database, data protection experts not only discovered that multiple personal details were stored, but also found that the unsecured server had already been infected with a ransomware variant.
Although investigators tried to report the exposed database on multiple occasions (both to the tobacco company, database operators and Romanian authorities), the information remained exposed for at least a couple of months. Finally, access to the database was closed last November 27; however, no organization responded to the report.
Among the main details exposed during the incident are:
- Full names
- Birth dates
- Phone numbers
- Email addresses
- Some details about smoking habits
To complete their registration, users had to enter a code obtained through the purchase of a pack of cigarettes.
So far data protection experts have been unable to determine a number of potentially affected users; however, even though multiple entries in the database are repeated or empty, each daily log has about 50 million entries, so the scope of this incident could be highly considerable.
The main security risks for affected users is related to the malicious use of personal information; a threat actor could be preparing a spear phishing campaign targeting consumers of these products and, although the data breach does not include financial information, some frauds could be possible using only information such as name and phone numbers. Other companies, like insurance services, could take advantage of this information, as it is very common for insurers to raise their rates in the event that a customer is a tobacco consumer.
This is a perfect example of the consequences of not properly securing a server, as mentioned by the data protection experts from the International Institute of Cyber Security (IICS). To avoid such incidents, we recommend that you take basic security measures such as implementing authentication for access to any area of the system and proper configuration of access rules.