News has broken that a WWE database leak exposed three million users home and email addresses, birth dates, earnings, ethnicity, children’s age ranges, genders, and more. Kromtech security firm’s Bob Dyachenko told Forbes.com that he discovered an unprotected database that was open to anyone in plain text who knew which web address to search.
Commenting on this, Ryan Wilk, VP at NuData Security said: "In less than a month, there is news of a third “non-breach ‘breach’” of sensitive user PII data. The unfortunate mishandling of trusted data by Deep Root, data.gov.uk, and now the WWE continues to show that sophisticated hacking is not required to obtain troves of identity data that can be used to create fraudulent identities or access online personas.
“Data in the wrong hands can have a huge impact. Email addresses and password information, combined with other data on the consumer from other breaches and social media, builds a more complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Using these real identities, and sometimes fake identities with valid credentials, they’ll take over accounts, apply for loans and much more. Every hack has a snowball effect that far outlasts the initial breach.
"We have hit a turning point where financial and identity cybercrime has become something that a person with the most basic computer skills can dabble in. Because of this, organisations need to rethink how they protect and identify their users in the digital world. We need to protect all consumer data, but more importantly, we need to make it valueless. Using advanced techniques like Passive Biometrics and Behavioural Analytics gives merchants and FIs a step up on the bad actors looking to monopolise this data. Understanding the user behind the device is key in effect devaluing the stolen identity data to any other person or entity."
Ben Herzberg, research group manager at Imperva, said: "This is yet another heavy weight leak (pun intended) where the ease of cloud deployments probably made someone forget the basics. If you put it out there, someone will take it. This is another example of why each deployment operation of data or applications must be bolted in with security mechanisms, and why simply putting something on a cloud platform does not make it secure."