At a glance.
- ElasticSearch misconfiguration exposes records.
- Ontario cannabis distributor's data exposed.
- Patient data exposed in New York healthcare provider breach.
User data leaked in unprotected ElasticSearch servers.
The researchers at Website Planet have discovered two misconfigured ElasticSearch servers exposing over 359 million records, HackRead reports. Though the owner of the servers is unknown, the data were collected using open-source data analytics software developed by UK software vendor SnowPlow Analytics, known to collect website visitor data without user knowledge. The servers were unencrypted and required no password authorization, meaning the 579.4 GB of data could have been accessed by anyone with eyes, and included geolocation and IP addresses that could allow a threat actor to track the upwards of 15 million individuals impacted. What’s more, the servers were live and actively updating when they were discovered. Both have now been secured, but the responsible party has not been found.
Stolen cannabis sales data spreads like weed.
The Ontario Cannabis Store (OCS), a Canadian government-run agency that oversees the distribution of cannabis to licensed retail stores, has disclosed a data leak that exposed the sales data of more than twelve hundred Ontario stores. High Times reports that OCS sent a letter to retailers earlier this week notifying them of the breach and warning that the compromised data is being circulated throughout the industry. “This data was not disclosed by the OCS, nor have we provided any permission or consent to distribute or use this data outside of our organization,” the letter reads. “The data was misappropriated, disclosed, and distributed unlawfully. As a result, we trust you will refrain from sharing or using this stolen data in any way.” Sources say customer info was not involved, but the data include store names, ranked sales info, inventory numbers, and details about whether the store is independently owned or operated by a corporation or franchisee – information that could put underperforming stores out of business. Deepak Anand, founder of the cannabis company Materia, explained that the data provide “a lot of really competitive insight into who’s doing what, who’s moving what, which retailers are selling what. That certainly could be a leg up and give a leg up to competition within the industry that’s looking to get ahead of the next person.” The incident is being investigated by the Ontario Provincial Police (OPP) as “a criminal matter.”
New York healthcare data breach exposes patient data.
Refuah Health Center, located in the US state of New York, is notifying 260,740 individuals impacted in a cybersecurity incident that occurred last spring. The healthcare provider says that when it discovered that an intruder had gained unauthorized access to its systems, it immediately launched an investigation which concluded in March 2022. It’s unclear, however, why the center waited a year to inform the affected patients. The compromised data included personally identifiable information like names, Social Security numbers, driver’s license and state ID numbers, birth dates, insurance policy numbers, financial account information, and diagnosis info. Refuah’s notification letter states, “We continually evaluate and modify our practices and internal controls to enhance the security and privacy of personal and protected health information. Since this incident, we have installed a new firewall and conducted a vulnerability assessment.”