- Gartner has left an Elasticsearch cluster on “public” visibility for at least eight months.
- Bob Diachenko discovered the database and made worrying revelations about its contents.
- Gartner believes that the data isn’t sensitive and claims that it was publicly sourced.
Researcher Bob Diachenko has discovered a misconfigured Elasticsearch cluster containing more than 1TB of data, after searching on the Shodan and BinaryEdge engines. According to the tracking data, the database was publicly accessible since at least January 2019 and it looks like it belongs to CEB Inc, a subsidiary of Gartner focusing on global best-practice insights. Gartner is a global research advisory firm from Connecticut, focused on the IT sector. Having bought CEB back in April 2017, they really can’t put the blame on previous admin teams.
Mr. Diachenko discovered the database on August 14, 2019, and informed Gartner immediately. The company acknowledged the reception of the notification, confirmed that the database was a legacy system, thanked the researcher, and secured the database. However, and contrary to Gartner’s claim that the data was publicly sourced, the researcher has found over 155 million records that contained very sensitive employee information. Details include their full names, bio, skills, employment records, emails of communication, and more. Another piece of evidence that this wasn’t just publicly sourced data was the presence of an API key that malicious actors could have used in order to penetrate further inside the corporate network.
There is no evidence that someone has accessed this data, as there has been no locking down of the data for extortion. However, and considering the extensive period that this database was left open for, the researcher considers the chance of someone having exfiltrated this trove of data almost certain. To the time of writing this, Gartner hasn’t issued an official statement about this incident and based on their previous take on the matter, it doesn't look like they want to treat it as anything serious.
Since the beginning of the year, we have reported eight unprotected database incidents discovered by Bob Diachenko alone. The problem with database protection misconfiguration is one that doesn’t seem like subsiding any time soon, so the researcher has decided to organize a webinar session where he will lay out everything around database protection and how professionals should maintain MongoDB, CouchDB, and Elasticsearch databases with responsibility. If you are interested, send an email at bob(at)securitydiscovery.com. Our opinion is that if you are engaged in data management, you should take this masterclass and help put an end to this troubling security problem.