The personal data of 4 million applicants for internships at a non-profit organization was exposed in a breach.
The data included the applicants’ names, email addresses, gender, and personal essays and was exposed via a misconfigured database called Elasticsearch on the website of AIESEC, a “youth-run” non-governmental organization with over 100,000- members worldwide. The data leak was initially found by Bob Diachenko of SecurityDiscovery.com on Shodan, an IoT-centric search engine.
“This raises the question of how charities and non-profits with limited resources can afford to safely manage millions of sensitive files,” wrote Diachenko in a blog detailing his findings.
AIESEC confirmed the data leak:
“We take the security of our customers information extremely seriously. After looking into this matter, we immediately secured the vulnerability, disabling unauthorized access to the cluster. The data was cached on the node for testing purposes and mistakenly left unsecured. We can confirm that the server now contains no sensitive information.”
This isn’t the first time a misconfiguration of Elasticsearch has led to a major leak online. In November 2018, Diachenko also found roughly 57 million records of American citizens from one unsecured instance apparently belonging to a Canadian data firm. The Brazilian government and a fitness company experienced similar leaks in late 2018 as well.
Elasticsearch was originally created specifically for private networks that were not connected to the Internet and until fairly recently didn’t feature many basic security features. As search engines like Shodan become more popular, it’s likely that similar large-scale security leaks will be discovered.