Chinese online shopping giant Gearbest has been hit by a vast data breach that cybersecurity experts say would have been simple to prevent. The Gearbest data breach has seen 1.5 million records exposed, but is entirely the result of poor data handling.
The data breach, which was identified by VPNMentor, was not the result of malicious access, but by key customer data being left on an unencrypted Elasticsearch server. This meant that anyone could access and search the data, which included orders, payments and invoices and key member details.
Among the data exposed was payment details, customer names and shipping addresses and phone numbers. In some cases national IDs or passport information was also exposed.
Database breaches are too common
It is by no means the first time this type of breach has occurred, suggesting companies are failing to learn from basic security mistakes.
“Gearbest’s data leak of over 1.5 million customer records adds to a growing list of organisations that have suffered security lapses in 2019 due to misconfigured Elasticsearch servers. However, Gearbest’s incident stands out since passport numbers, national ID numbers and full sets of unencrypted data, including email addresses and passwords were among the exposed information,” said Brian Johnson, CEO and co-founder ofDivvyCloud.
“This data could allow hackers to easily steal Gearbest’s customers’ identities by cross-referencing with other databases, and allow malicious actors access to online government portals, banking apps, health insurance records, and more.”
“This breach could have been easily prevented if Gearbest had put in place basic password protection to this database, and applied the learnings from a similar breach just over a year ago to improve their security practices and policies,” added Stephan Chenette, CTO and co-founder of AttackIQ.
“All too often, companies suffer similar breaches because they don’t fully understand the cause of the previous breach, and how to recover. Organisations that have systems in place to proactively test the efficacy of their security controls are not only better protected, but can improve over time as they find and remediate gaps in their security program.”
Gearbest data breach: Diligence needed
Gearbest ships to 250 countries, and is in the top 100 websites for almost a third of the regions it serves. It is a key electronics supplier for brands including Asus, OnePlus, Huawei, Intel and Lenovo.
It also has a significant presence in multiple parts of the EU, including the UK, Spain and Poland, meaning GDPR could apply to the Gearbest data breach.
Given the size and reach of the company, it is essential that Gearbest – and other similar companies – learn from the incident urgently to avoid potentially devastating financial and reputational damage.
“Organisations like Gearbest must learn to be diligent in ensuring data is protected with proper security controls,” said Johnson.
“Automated cloud security solutions would have been able to detect the misconfiguration in the Elasticsearch database and could either alert the appropriate personnel to correct the issue, or trigger an automated remediation in real-time. These solutions are essential to enforcing security policies and maintaining compliance across large-scale hybrid cloud infrastructure.”
“Misconfigurations like this are, unfortunately, a dime a dozen. Organisations are tasked with the hefty burden of continuously monitoring all IT assets and 100+ potential attack vectors. Through this process, companies are likely to detect thousands of vulnerabilities—far too many to tackle all at once,” added Jonathan Bensen, CISO and senior director of product management, Balbix.
“The key to preventing breaches is to leverage security tools that employ artificial intelligence and machine learning that analyse the tens of thousands of data signals to prioritise which vulnerabilities to fix first, based on risk and business criticality.
“In Gearbest’s case, a database containing huge swaths of sensitive customer information is critical to the business, and addressing any vulnerabilities in its security should have been highly prioritised. Organisations must adopt advanced security platforms to proactively manage risk and avoid breaches instead of reacting to a security incident after it occurs.”