[BreachExchange] Gearbest data breach “easily” preventable as 1.5 million shoppers affected

Destry Winant destry at riskbasedsecurity.com
Fri Mar 15 09:05:59 EDT 2019


Chinese online shopping giant Gearbest has been hit by a vast data
breach that cybersecurity experts say would have been simple to
prevent. The Gearbest data breach has seen 1.5 million records
exposed, but is entirely the result of poor data handling.

The data breach, which was identified by VPNMentor, was not the result
of malicious access, but by key customer data being left on an
unencrypted Elasticsearch server. This meant that anyone could access
and search the data, which included orders, payments and invoices and
key member details.

Among the data exposed was payment details, customer names and
shipping addresses and phone numbers. In some cases national IDs or
passport information was also exposed.

Database breaches are too common

It is by no means the first time this type of breach has occurred,
suggesting companies are failing to learn from basic security

“Gearbest’s data leak of over 1.5 million customer records adds to a
growing list of organisations that have suffered security lapses in
2019 due to misconfigured Elasticsearch servers. However, Gearbest’s
incident stands out since passport numbers, national ID numbers and
full sets of unencrypted data, including email addresses and passwords
were among the exposed information,” said Brian Johnson, CEO and
co-founder ofDivvyCloud.

“This data could allow hackers to easily steal Gearbest’s customers’
identities by cross-referencing with other databases, and allow
malicious actors access to online government portals, banking apps,
health insurance records, and more.”

“This breach could have been easily prevented if Gearbest had put in
place basic password protection to this database, and applied the
learnings from a similar breach just over a year ago to improve their
security practices and policies,” added Stephan Chenette, CTO and
co-founder of AttackIQ.

“All too often, companies suffer similar breaches because they don’t
fully understand the cause of the previous breach, and how to recover.
Organisations that have systems in place to proactively test the
efficacy of their security controls are not only better protected, but
can improve over time as they find and remediate gaps in their
security program.”

Gearbest data breach: Diligence needed

Gearbest ships to 250 countries, and is in the top 100 websites for
almost a third of the regions it serves. It is a key electronics
supplier for brands including Asus, OnePlus, Huawei, Intel and Lenovo.

It also has a significant presence in multiple parts of the EU,
including the UK, Spain and Poland, meaning GDPR could apply to the
Gearbest data breach.

Given the size and reach of the company, it is essential that Gearbest
– and other similar companies – learn from the incident urgently to
avoid potentially devastating financial and reputational damage.

“Organisations like Gearbest must learn to be diligent in ensuring
data is protected with proper security controls,” said Johnson.

“Automated cloud security solutions would have been able to detect the
misconfiguration in the Elasticsearch database and could either alert
the appropriate personnel to correct the issue, or trigger an
automated remediation in real-time. These solutions are essential to
enforcing security policies and maintaining compliance across
large-scale hybrid cloud infrastructure.”

“Misconfigurations like this are, unfortunately, a dime a dozen.
Organisations are tasked with the hefty burden of continuously
monitoring all IT assets and 100+ potential attack vectors. Through
this process, companies are likely to detect thousands of
vulnerabilities—far too many to tackle all at once,” added  Jonathan
Bensen, CISO and senior director of product management, Balbix.

“The key to preventing breaches is to leverage security tools that
employ artificial intelligence and machine learning that analyse the
tens of thousands of data signals to prioritise which vulnerabilities
to fix first, based on risk and business criticality.

“In Gearbest’s case, a database containing huge swaths of sensitive
customer information is critical to the business, and addressing any
vulnerabilities in its security should have been highly prioritised.
Organisations must adopt advanced security platforms to proactively
manage risk and avoid breaches instead of reacting to a security
incident after it occurs.”

More information about the BreachExchange mailing list