Incident Of The Week: Automotive Data Broker Exposes 200 Million Records With Misconfigured Database

More Than 400GB Of Personal, Financial And Vehicle Data Leaked

Jeff Orr

Automotive Data Broker Exposes 200 Million Records

A database for vehicle sales marketer Dealer Leads containing nearly 200 million records has been discovered online. The publicly accessible database was discovered by security researcher Jeremiah Fowler in August 2019. He described his discovery and the search for the owner of the Elastic DB database on his Security Discovery blog.

The misconfigured database contained more than 400GB of data left in view of anyone with a web browser. The Elastic DB database was publicly accessible and did not require any administrative credentials.

The compromised data included nearly 200 million records consisting of names, phone numbers, email addresses, loan and financing inquiries, visitor IP logs, vehicles for sale and other data gathered to help target potential car buyers and provide matchmaking with local auto franchises and independent dealerships. Dealer Leads restricted public access to the database upon notification by the researcher of the exposure.

See Related: Incident Of The Week: Millions Of Financial Records Exposed By Elasticsearch Database

California-based data broker Dealer Leads owns thousands of automotive websites, each targeting a specific buyer demographic or behavioral characteristic, according to the company’s website. By passing links and users amongst its own sites, the broker hopes to improve its chances of appearing higher on web search results. The concept of domain authority was coined by SEO and marketing tool provider Moz to predict how well a web domain will appear in search results. Google has stated that it does not have such a metric for determining search result placement.

How long the database has been visible to the public is not known and there is currently no evidence to suggest that copies of the data have been used or sold. Organizations are advised to notify employees that have visited auto classified ad websites to monitor their accounts for unusual activities.

Questions remain if people entered into the automotive marketer’s database were aware that their data was collected, stored, or sold. Organizations that collect and store large amounts of data should take notice. Data privacy is a growing topic of importance for organizations this year.

The European GDPR regulations have been in place for over a year now and other government bodies are developing similar legislation. Most notably, California passed a consumer data privacy law in 2018 that goes into effect at the start of 2020. The law requires organizations to reconcile where customer data was gathered and how to manage requests for data disclosure and the ability to opt out. Other regulations are already in place nationwide for collection of customer data related to potential product defects in support of safety recalls, which will likely override consumer requests to opt out of retaining PII data.

See Related: CISO Exchange East Day 2: CISO Priorities For H2 2019 And Embracing The Privacy Imperative