Continuing on the trail of data leakages through unsecured databases, now joins The University of Chicago Medicine. UChicago Medicine exposed over a million records publicly, which included personal data of their potential donors.
UChicago Medicine Exposed Data Publicly
The researcher Bob Diachenko of Security Discovery spotted another incidence of data leakage through the open database. This database belonging to UChicago Medicine exposed huge records having details of the university’s donors.
Elaborating on his findings in his blog post, Diachenko stated that he noticed the publicly accessible Elasticsearch instance leaking data. Upon digging further into the matter, he noticed that the database belonged to The University of Chicago Medicine. The exposed records allegedly included information of the ‘leads’ and current and previous donors for the entity.
Specifically the 34GB database entitled ‘data-ucmbsd2’ exposed as many as 1,679,993 records. Regarding the kind of information leaked, it included names, birth dates, gender, contact numbers, residential addresses, email addresses, marital status, income information with current status, and communication notes.
The researcher stated that anyone looking for open databases could have easily found this one indexed with Shodan.
University Fixed The Matter
After discovering the publicly open Elasticsearch instance and completing the investigation, the researcher could quickly establish its link with UChicago Medicine. He then informed the institution regarding the incident. Following his report, the institution secured the database within 48 hours of the notification. They also provided the following statement to the researcher.
Thank you for bringing this to our attention in a way that allowed us to secure the affected database, prevent unauthorized use or disclosure, and protect our systems and information. As we learn more from our ongoing investigation, we will comply with our responsibilities under all applicable laws and regulations.
UChicago Medicine was fortunate to secure the database due to Diachenko’s report.