Incident Of The Week: 2.8 Million Records Exposed In CenturyLink Third-Party Database

A third-party cloud database consisting of customer, service technician and call agent data for communications service provider CenturyLink has been discovered open to the public. The database consisted of 2.8 million user records and personally identifiable information (PII) for hundreds of thousands of customers.

CenturyLink is a Fortune 500 technology company headquartered in Monroe, Louisiana that offers communications, network services, security, cloud solutions, voice and managed services.

The exposed MongoDB database was discovered by UK product testers Comparitech Limited in collaboration with cyber researcher Bob Diachenko. According to the report, the misconfigured third-party database facilitated notifications between CenturyLink call center agents, field technicians and company customers.

See Related: Behind The Data Breach: Understanding Cloud Security And Misconfigurations

The MongoDB database was first indexed by search engine Shodan on November 17, 2018, which means that the start date for the exposed data may have been earlier.

Once notified by Diachenko, CenturyLink requested time for the FCC to investigate the incident before Comparitech published its discovery this week.

See Related: Building The Business Case For Enterprise Third-Party Risk Management (TPRM)

While there is no evidence that unauthorized access to the data occurred, the combination of personal contact data, physical address, CenturyLink account number and types of services contracted (such as broadband or home security) provide cyber-attackers a convincing playbook for phishing attacks.

MongoDB databases have been the target for many mega-breaches. Thousands of organizations store data using MongoDB. If not properly configured, the data is accessible by the public. In May, a MongoDB database containing 275 million records of Indian citizens was discovered. In June, a database powered by MongoDB containing 188 million records from Pipl and LexisNexis searches was also found to be publicly accessible.

It would be a knee-jerk reaction to point fingers at MongoDB as the cause of the vulnerability. The organization has continued to expand remote access controls in distributions as far back as 2014 and enabled the limits by default since the v3.6 release. A spokesperson told Naked Security, “We respect that our innovative users ask for freedom to set their own course and we do what we can to keep that possible, while at the same time answering to the standards of care expected in safety-conscious measured operations.”

A similar situation occurred with the early enterprise Wi-Fi access points. Initial setup was complicated and many IT administrators did not realize that a separate process was necessary to enable user authentication. This left several early-adopter enterprise organizations allowing anyone within range of their wireless network open access to data stores.

CenturyLink was previously part of a class-action lawsuit in 2018 related to public access to some customer’s personal data. DirecTV and CenturyLink offered a service bundle that was discovered online when a customer searching for their phone number came across billing statements for the service. The lawsuit was settled for more than 1,000 customers later in the year.

The security collaborators have also made other breach discoveries, such as the 700,000 Choice Hotels records exposed by a third-party.

See Related: Cyber-Accountability Market Report: A Look At Third-Party Risk Management