[BreachExchange] US actor casting company leaked private data of over 260, 000 individuals

Fri Jul 17 01:07:22 EDT 2020

https://www.zdnet.com/article/us-actor-casting-company-leaked-private-data-of-over-260000-individuals/

A popular website used to cast US talent in movies and television
shows exposed the data of roughly 260,000 individuals online.

In a report shared exclusively with ZDNet, the cybersecurity team from
Safety Detectives, led by Anurag Sen, said the breach was discovered
at the beginning of June this year.

New Orleans-based MyCastingFile.com is an online casting agency that
recruits talent. Users can sign up -- for free or on a subscription
basis -- to apply for casting notices. The company claims to have
provided actors for productions including True Detective, Pitch
Perfect, NCIS: New Orleans, and Terminator Genisys.

Safety Detectives discovered an open Elasticsearch server, hosted by
Google Cloud, in the United States. The database was not secured via
any form of authentication and in total, close to 10 million records
were exposed.

The database was 1GB in size and upon investigation, the team found
that over 260,000 users of the website had their profiles leaked,
including aspiring actors and potentially members of staff.

Personally identifiable information (PII) made publicly available via
the leak included names, physical addresses, email addresses, phone
numbers, work histories, dates of birth, height and weight, ethnicity,
and physical features of interest to potential employers -- such as
hair color and length.

Five Major Bot Threats

It is crucial to be vigilant, especially during periods of higher
traffic, since web attacks follow the traffic trends. Read this
whitepaper to learn more about the five major bot threats that
businesses need to be aware of and ready to address.

In addition, the records included vehicle ownership information, such
as model, color, and year of manufacture.

Photographs of faces and bodies were also included in the breach;
however, only some images were exposed as they were hosted at multiple
locations and via different cloud services.

Under 18s are also able to sign up for the platform as long as their
accounts are managed by guardians and they have been given consent.

"From the data breach, it could have been possible to determine what
amount of data belonged to children, although our security team did
not carry out a full download or demographic analysis of the available
data -- first and foremost, for ethical reasons," the team notes.

Server records indicate that the exposure first began on May 31.
MyCastingFile is currently migrating to a new platform so the issue
may be related to the move. (ZDNet has requested clarification.)

Safety Detectives spent some time verifying who owned the database,
eventually reaching out to MyCastingFile on June 11. On the same day,
the agency responded to the report and secured the server.

MyCastingFile's rapid response is, unfortunately, a rarity these days.
In many cases of researchers reporting open database issues,
organizations will take weeks -- or months -- to address the problem,
or may simply ignore requests altogether.

ZDNet has reached out to MyCastingFile with additional queries and
will update when we hear back.