March 25, 2019

Family location data breach poses “real risk” to physical security

By Lucy Ingham

A key location data breach involving a widely used family tracking app has exposed users to significant risks to their real-world security, a cybersecurity expert has warned.

The breach, which involved the app Family Locator, saw real-time data for 238,000 users left on an unencrypted online MongoDB database, meaning anyone could access it without the need for passwords.

It was discovered by security researcher Sayam Jain, who found that the records included names, email addresses, profile photos and passwords stored in plain text, alongside real-time locations.

It is by no means the first time such a database has been left exposed online, but a location data breach poses particularly severe issues for those impacted.

“This is another example of when features and time to market trump the need to secure data. When my password is exposed in yet another data breach, while frustrating, I have the option to simply change it and the risk is blocked,” explained Gavin Millard, VP of intelligence at Tenable.

“However, the thought of someone I don’t know having access to exactly where I am, or my family members are, in the world at any given time from the comfort of their basement, other than it being a little creepy, there is a real risk.”

The real-world risks of a location data breach

While any data breach can see a negative impact on users, a location data breach carries its own potential issues.

“For example, there has been a spate of house break-ins across England. What the thieves were doing was monitoring newspapers and social media forums for details of weddings and deaths to predict when homes would be empty,” said Millard.

“The information in this tracking app would allow criminals to identify where someone spends large portions of their evenings/nights, which would indicate their home, and then see when that location is empty.

“Another option is that a criminal could piece together details of a person’s behaviour to bring some credibility in a social engineering attack – for example pretending to call from a place where the person has recently visited, perhaps suggesting that a payment had failed, to try and get the victim to disclose card details or other information.”

Consumers urged to be wary

For consumers, the advice is to act with caution when it comes to selecting which apps to use – particularly when it comes to location data.

“For consumers, there is the very real need to weigh up the benefits versus the risks of tracking services, or any app for that matter, when sharing personally identifiable information,” said Millard.

“Consider carefully whether the app is from a credible company, and available from a reputable online store. If you do use this type of app, make sure it is locked down – for example ensure that you only share data when the app is open.”

Meanwhile, developers should take this as yet another reminder about how important security is.

“For developers, it’s critical that they ensure security is baked in from the initial design. For example: robust password management; encryption; good configuration of any cloud services leveraged; etc,” he said.

“The time of the unprotected MongoDB database or the open S3 bucket needs to end.”

Verdict deals analysis methodology

This analysis considers only announced and completed cross border deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,