Security researcher Mossab Hussein from Dubai-based cybersecurity firm SpiderSilk recently discovered an unsecured database on one of MoviePass’ subdomains, exposing a database protection issue that's far too common..
The movie ticketing subscription service’s database contained roughly 161 million records and more than 58,000 of those contained card data. Some of the exposed card data was MoviePass’ own debit cards that store a cash balance but there was also personal credit card numbers belonging to customers that included enough information for a hacker to make fraudulent purchases. Additionally, the unencrypted database contained email addresses and password data related to failed login attempts.
Leaving 58,000+ records containing payment card data unencrypted on a publicly accessible database is concerning enough, however, the fact that MoviePass initially ignored the vulnerability when it was notified is even worse.
Misconfigurations like this are frequent, and enterprises should be thankful when white hat security researchers flag vulnerabilities before they can be exploited. Consumers who trusted MoviePass with their data expect their personally identifiable information to be protected with mature security controls. Within the months that MoviePass’ database was exposed, cybercriminals not only could have made fraudulent purchases, but they also could have launched phishing attacks against MoviePass customers to gain access to additional sensitive information or gain control of accounts with other services.
Threat actors around the world are continuously trying to exploit vulnerabilities and are constantly evolving their tactics to breach security controls. Many companies have tools in place alerting them to possible security issues, but if companies get a list of a thousand problems per day (a realistic number for the average enterprise) this quickly overwhelms the ability for security and risk professionals to analyze, prioritize, and remediate. This scenario is especially familiar to any company operating in the cloud, as the rate of change in cloud environments is enormous. Just ask Honda, Capital One, Gearbest, or Choice Hotels -- a small sampling of companies that have suffered data breaches due to cloud misconfigurations this year alone.
Enterprises need to be able to be able to mitigate cloud security and compliance risk in real-time. The truth is, most companies still lack the proper tools to identify and remediate insecure configurations and deployments on a continuous basis. Automated cloud security solutions must be a priority for all companies that are using cloud services. Without these tools in place, companies will continue to make headlines when they inevitably, but avoidably, fail to protect customer information from bad actors.
