Security Lapse Exposed Sensitive Customer Records In Gearbest Data Breach

Here is another report of a massive data leak from an online retailer. The Chinese e-commerce firm Gearbest inadvertently exposed millions of records of their customers online. The data allegedly leaked from an unsecured database caught the attention of Noam Rotem – the same researcher who discovered caller ID app Dalil data breach.

Gearbest Data Breach Leaked Sensitive Records

A recent report published by VPNMentor disclosed about a huge data leak linking back to a Chinese e-commerce firm Gearbest. As revealed by the researcher Noam Rotem, and later acknowledged by the firm as well, Gearbest data breach happened due to a security lapse.

Reportedly, the researcher found and accessed an unprotected Gearbest database that exposed over 1.5 million records, the exposed data included sensitive information that seriously threatened customers’ security.

The researcher found different types of databases. These include Order database (information about purchased products and buyers’ details), Payment and Invoices (detailed payment information about orders including buyers’ data and IP address), Members database (explicit personal and account information of customers including their passport and national ID details).

Commenting about the severity of this incident, Naaman Hart, Cloud Services Security Architect at Digital Guardian, said,

“While breaches can be seen as almost unavoidable these days, encryption of the data stolen should be a given, especially given the sensitivity of the data Gearbest stored.  Worryingly it’s not just the usual names, addresses, passwords and emails; the data includes passport details and national IDs.  Gearbest don’t appear to have shown any care in segregating information, that while it’s all personal, it’s not equal.”

Hart further expressed concerns about how some bad actor could use this information.

“The data was linked so easily together that a complete profile of someone could be built that exposes the individual to identity fraud.  There are many other risks that could now befall the individual customer and trying to fix this problem by invalidating their data by requesting new passports and national IDs is not only difficult, it’s sometimes impossible.  Gearbest’s customers may have to accept that they’re forever exposed to additional risk thanks to the mismanagement of their data.”

Gearbest Clarifies The Matter

In response, Gearbest published a detailed notice explaining the incident. According to their notice, the breach happened due to accidental shut down of firewalls by their staff to some ‘external tools’ that they use for ‘temporarily storing the data’.

However, they assure that their actual databases remain secured.

Later, in a recent update, Gearbest revealed what happened to the firewalls.

“We found that our IT team changed their IT strategy since early January of 2019 in order to reduce network jitter when visiting the tool’s servers from our network. As a result of that, normal functioning of the firewall system was negatively affected.”

As explained, the firewall system exhibited regular inactivation during January 10, 2019 to February 28, 2019. Then, from March 1, 2019, until the discovery of exposed data by Rotem, the firewall remain entirely inactivated.

They further confirmed no external downloads of the data.

“…we found that currently no data records have ever been downloaded by others… we believe that no real data records have been actually leaked out.”

Regarding Gearbest failure to protect the integrity of database security methods, Hart said,

“The most shocking thing about this is the complete mistruth that was told to customers of Gearbest… Data at rest encryption was the promise and it doesn’t appear to have been the case at all. It appears that Gearbest failed on two counts of poor configuration.  First, they failed to protect a ‘big data’ elastic search setup and secondly, they failed to encrypt any of that data.  Both of these are configuration and best practice problems and frankly there’s little excuse for not implementing them correctly. Ultimately if you can’t trust a company to get the basics right, definitely don’t trust them to keep you and your data safe.”

Data Breach Due To Human Errors

As elaborated by Gearbest, and evident from previous history of data breaches, the organizations usually fail at protecting their databases due to human errors. Perhaps, the training of staff regarding cybersecurity best practices still remains the need of time.

According to Stephen Gailey, Head of Solutions Architecture at Exabeam,

“Gearbest’s woes highlight a fundamental truth about information security – it doesn’t matter how good your technology is, in the end, it will be let down by poor operational practices.  Admittedly some technologies make it harder than others to get things right, but the reality is that operational teams either don’t understand security best practice or are given too little time and resource to follow them. What happened at Gearbest in terms of poor operational controls is happening across the world today and the next company to be in the news is probably being breached as we speak.”

While such incidents have now become something of a routine, for giant organizations working at the international level, such breaches seem a serious security lapse since they ought to be more vigilant.

According to Anurag Kahol, CTO at Bitglass,

“It’s concerning when it takes an organisation months, or even years, to recognise that a misconfigured server has enabled a breach or a leak. As a global e-commerce provider that ships to over 250 countries and territories, ranks in the top 100 websites in almost 30 percent of said regions, and has subdomains in 18 different languages, Gearbest must adopt a flexible security platform that proactively detects and responds to new threats as they arise. Allowing a server to remain misconfigured for a prolonged period of time increases the odds that a malicious actor can find it and exploit the information therein for their own nefarious purposes.”

What Should Companies Like Gearbest Do?

Anurag Kahol recommends some cost-effective solutions that companies should adopt to alleviate such incidents as Gearbest data breach.

“Throughout 2018 and 2019, misconfigurations have grown in popularity as an attack vector across all industries. This highlights the reality that organisations are struggling with limited IT resources and, consequently, are susceptible to careless and reckless mistakes like misconfigurations. As such, companies must turn to flexible and cost-effective solutions that can help them to defend against data leakage. For example, leading cloud access security brokers (CASBs) provide cloud security posture management (CSPM), data loss prevention (DLP), user and entity behaviour analytics (UEBA), and other capabilities that can give an organisation confidence that its data is truly safe.”

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients