cinema
  • An unprotected database containing the data of cinema-goers from Peru was found exposed online.
  • The database contained a trove of data, all in plaintext form, and even partial credit card numbers.
  • The cinema chain responsible for this hasn’t made any announcements to inform their clients about the incident.

Researcher Anurag Sen has recently discovered a non-password-protected Microsoft Azure server containing about 14 million login records and 205 million logs of data. Upon investigating further, the man and his team realized that the owner of the database was Cineplanet, a Peruvian movie theater chain owned by Intercorp Group, and which has been selling tickets online for over eight years now. Since 2018, Cineplanet has also been running a customer loyalty program promoting and selling stuff in combos, and thus they have been retaining people’s personal details for a while now.

The researcher claims that since he first discovered the unprotected database, it received another 1.5 million entries, so it was a live/production system. The date when the database went online is unknown at this point, but it was finally secured on January 24, 2020. The next question is what kind of data has been leaked. Unfortunately, the answer to this is a pretty long one and includes the following:

  • Personally Identifiable Information (PII)
  • DNI number (similar to social security number)
  • Email address
  • Phone number
  • Full customer address
  • Marital status and other lifestyle details
  • Member logins
  • Unencrypted passwords
  • Internal customer/loyalty member ID numbers
  • Customer loyalty points
  • Gift card balance
  • Purchases
  • Partial credit card number (first four and last four digits)
  • Credit card expiration date
  • Affiliated name and ID number
  • Bank reference code
  • Payment amounts
  • Declined or approved status on purchase attempts
  • Device
  • Browser
  • IP address
  • Session logs
users_1
Source: safetydetectives.com
users_2
Source: safetydetectives.com
users_3
Source: safetydetectives.com

Focusing on the credit card data, which is among the most severe exposures, the researcher clarifies that the entries contain the first and last four digits of the card numbers. While malicious actors couldn’t proceed to full exploitation, the data would still be enough to set up scams and various frauds. Especially when combined with the other information that was exposed, there’s really nothing else a scammer could have asked for.

Cineplanet maintains 40 theaters in Peru, so we’re talking about a large entity that should have followed better practices. Besides the failure to secure the database, the organization demonstrated that they are unreliable by storing user passwords without any encryption. The best way for people to respond to this incident would be to boycott Cineplanet and avoid providing such sensitive data to untrustworthy parties in general. Whatever offers, discounts, gifts, and rewards that you may have received from the cinema chain, they are not enough to make up for the damage done by this security incident.