Records belonging to Fox News have been exposed online through a non-password-protected database.
Security researcher Jeremiah Flower and the Website Planet research team discovered that the exposed database included 58.03GB of data with just short of 13 million records. The records included Fox News content, storage information, internal Fox emails, usernames, employee ID numbers, affiliate station information and more. One folder is said to have contained 65,000 names of celebrities, cast and production crew members and their internal Fox identification reference numbers.
Many of the exposed files were labeled “prod,” which is usually an abbreviation for production or live records. Other files reference “CRM,” as in customer relationship management. Fowler notes that a content management system helps an organization manage digital content. The digital asset management database shows a detailed look at the internal collaborative environment divided by users, administrators and content.
Fox News responded to the data breach by claiming that exposed files were part of a “development environment not connected to any production environment.” The exposed database has since been taken down.
Whether it was test data – as Fox News suggests, or real data is subject to speculation.
“Using real or realistic data at scale is an important test for most systems before they go live,” Willy Leichter, chief marketing officer of security automation solutions provider LogicHub Inc., told SiliconANGLE. “But this is where we see developers get careless, or simply disregard security best practices. The almost 13 million records exposed could have fit on a single USB stick and the data was likely shared by multiple developers – who probably felt password protection was a hassle.”
Leichter noted that it’s unknown whether the data was actually stolen but should assume it was. “Research has shown that a new, unprotected server spun up on Amazon Web Services Inc. will be scanned by hackers in less than 10 minutes,” Leichter explained. “If a researcher found this database unprotected, we should assume that the army of hackers has already found and exploited it.
James McQuiggan, security awareness advocate at security awareness training company KnowBe4 Inc. commented that “when organizations, contractors and third-party suppliers work on data that contains personally identifiable information, they must have policies, procedures and audits requiring password protection and data encryption. These steps ensure that any accidental exposure to the internet will reduce the risk of unauthorized access of data or having it stolen.”
“Whenever organizations upload data to be accessible via the cloud, all data must be secured and restricted to authorized users to reduce the risk of a sensitive data leak,” McQuiggan added. “With proper and robust security education and training, developers can understand and implement adequate access and identity management controls, which support the organization’s policies to protect all uploaded data.”