An unencrypted database belonging movie ticket subscription service MoviePass has been discovered online, exposing 161 million records.

Many of the records were log messages generated by the server. However, more than 58,000 records contained card data. Much of these were MoviePass card numbers, but the database also contained both partial and complete personal banking information, such as credit card numbers, expiry dates, full names and addresses, which would provide cybercriminals with enough information to make fraudulent purchases.

Records of failed login attempts containing email address and password data were also discovered.

The unsecured database was discovered by Mossab Hussein, a security researcher for cybersecurity firm SpiderSilk on the company’s servers.

Despite Hussein warning the company about the vulnerability over the weekend, the exposed database remained publicly accessible until Tuesday when TechCrunch, which broke the story, reached out. New logs continued to be added to the database up until when it was removed.

It is thought to have been exposed for months. However, it is unclear whether it has been accessed by malicious actors.

Data-collecting companies must take responsibility

Businesses are increasingly turning to the subscription model to monetise their product, meaning that businesses are also increasingly storing their customers’ personal information, including payment details to collect recurring payments.

However, many of these businesses are still suffering security incidents as a result of basic security lapses.

“MoviePass joins Honda, AavGo, Rubrik, Gearbest and countless other organisations this year to fall victim to data leaks via cloud service misconfigurations,” Chris DeRamus, CTO of DivvyCloud, said.

Most recently was Suprema, an access control provider that uses biometric data to grant access to secure facilities. The company reportedly left the database for its BioStar 2 security platform unsecured online, exposing biometric data including fingerprints, voice data and facial images, as well as usernames and passwords combinations belonging to its customers.

“Far too often data breaches occur due to companies leaving their databases unprotected, as witnessed last week with the first biometric database breach. Unfortunately, MoviePass suffered a breach because of the same severe lapse of security,” Kevin Gosschalk, CEO of Arkose Labs, said.

According to DeRamus, the cause of these frequent unencrypted database exposures is that companies lack the tools to correctly configure their software, or to spot misconfigurations. However, the MoviePass breach is “even worse” than similar breaches due to the company’s lack of initial response when notified.

The State of Technology This Week

MoviePass breach: Customers could take their business elsewhere

“Leaving sensitive customer data unencrypted on an exposed database could not have come at a worse time for MoviePass as it is still recovering from a series of unfortunate events like decline in customer base, its forced reset of users’ passwords in April 2019, and the emergence of Regal Entertainment’s competing service,” Vinay Sridhara, CTO of Balbix, said.

The service peaked in mid-2018 with more than three million subscribers. However, having struggled with sustainability issues and technical problems throughout 2019, the MoviePass subscriber base has reportedly dropped 90% to 225,000 since according to Business Insider.

In order to bounce back from its latest issue, argued Sridhara, MoviePass needs to prioritise cybersecurity to restore their brand image and customer trust.

By failing to do this, MoviePass could see more of its user base head elsewhere, such as to Regal Unlimited, a rival movie subscription service that launched earlier this year in the United States.

“According to a recent survey from PwC, 87% of consumers take their business elsewhere if they do not trust a company is handling their data responsibly, so it will not be surprising if affected customers take their business to alternative services like Regal Entertainment’s Regal Unlimited instead,” Ben Goodman, CISSP and SVP of global business and corporate development for ForgeRock, said.


Read more: Suprema downplays biometric data leak of ‘one million fingerprints’