Through an unprotected server, MoviePass exposed tens of thousands of unencrypted customer card numbers.
There are really two separate, yet closely related components to this story. On one side you have a database rich with sensitive, personally identifiable information that is readable in plain text. On the other, you have a misconfiguration that allows anyone with internet access to view that information.
Which is worse? Had the data been masked, the information would still be accessible, but perhaps not so immediately valuable. If access rights were configured properly and appropriately, this discovery might never have been made and there would be no story in the first place.
The right answer is both, as a layered approach to security is the ideal scenario, but either could have conceivably been enough to make this a non-issue. While convenient to say in light of this particular situation, organizations of any type or size can drastically mitigate their risk of finding themselves in these types of situations by focusing their time on locating and limiting access to the data attackers would be most interested in, as well as verifying desired configurations are being adhered to across all devices and information assets.
Between manual methodologies like scripting and off-the-shelf technologies, organizations have plenty of options to address these types of requirements, even if they’re operating on a budget. For example, a free-yet-powerful option for businesses operating on-premises and in cloud infrastructures is Microsoft’s Windows PowerShell Desired State Configuration (DSC).
Using PowerShell as the underlying engine, administrators can both validate and remediate particularly important configuration settings across critical resources. At a minimum, adhering to configuration baselines creates consistency (and thus reliability) and closes the wide-open doors that attackers seek when infiltrating or navigating a victim’s network. On the other end of the spectrum, most popular database platforms offer some sort of built-in encryption capabilities —although they need to be enabled to provide any value. While it’s possible there can be some added overhead, the impact is negligible when weighed against the added security that data encryption provides.
As is the case with virtually anything in cyber security, however, organizations must exercise tremendous discipline and commitment monetarily, culturally, and otherwise to effect change.
For organizations that suffer these breaches, it’s highly unlikely they were purposely negligent or playing fast and loose with their customers’ data. Unfortunately for them, the law—and perhaps more so the court of public opinion—do not distinguish between good intentions and bad.
