- Security researcher Bob Diachenko discovered a MongoDB database which contained personal information, insurance information and healthcare data of over 2 million citizens of Mexico.
- The database was visible via Shodan, a search engine that allows access to all internet connected devices and not just web servers.
- After the security researcher reported the issue to Hova Health, the healthcare service provider for Mexico, the issue was patched within three hours.
After the recent data breach in Singapore that led to the data of 1.5 million citizens being stolen, Mexico finds itself in the middle of a data vulnerability threat which may have compromised the data of over 2 Million citizens. A vulnerability was found in the MongoDB database which made the information of citizens registered by healthcare provider Hova Health publicly visible via some search engines.
Security researcher Bob Diachenko managed to pull the data from the MongoDB database by using Shodan, a search engine capable of pulling data from not only the web servers but also any internet connected device. With security settings not being properly implemented by Hova Health, Diachenko was able to gain access to the database without requiring a password.
Diachenko revealed in post “Issues with MongoDB have been known since at least March of 2013 and have been widely reported since. The company has updated its software with secure defaults and has released security guidelines. It’s been five years now, and these unsecured databases are still widely available on the Internet, almost 54,000 of them now, according to Shodan.”
It is unknown if anyone else has already accessed or stolen the private data from the MongoDB servers. After being notified about the security flaw, Hova Health quickly addressed the issue via a security update. The information in the database includes names, gender information, date of birth, health and disability information, information data and addresses. It is not known who the data belongs to as Hova Health did not claim direct ownership of the MongoDB database. With malware and ransomware attacks prevalent in the healthcare sector, private medical data being publicly available poses critical privacy risks.