A database belonging to Australian event planning startup, Amazingco, was found leaking more than 200,000 records with personal details tied to children’s entertainment, wine tour events and more.
Amazingco, which is based in Austrailia but offers services in New Zealand and the U.S., connects customers with event planning organizers for experiences such as company picnics, kid’s entertainment and wine tours. The company’s platform is used by more than one million organizers and attendees, according to its website.
Researchers on Monday said that they found 212,220 total records with customers’ personal details – including names, emails, phone numbers, addresses – left exposed in an Elasticsearch database.
“These records contained names, email, phone numbers, addresses, and notes about the events,” said Jeremiah Fowler, senior security research at Security Discovery in a post. “A large portion of these were for children’s entertainment and wine tours. These also included customer feedback in detail and internal notes on specific events.”
Amazingco did not respond to a request for comment from Threatpost.
Fowler said that he discovered the publicly accessible Elastic database – visible in any browser and accessible without administrative credentials – on May 11. Fowler sent notification messages to Amazingco and did not hear back. He has since confirmed that the database is now closed and no longer publicly accessible.
Of the 212,220 total records, up to 174,000 were part of a folder titled “Customers” with user names, emails, phone numbers, internal notes and other sensitive details about clients. In addition, Fowler said that he discovered IP addresses and storage information that could be exploited by cybercriminals to further access the network.
“The down side to this is that each of these were connected to the client’s real personally identifiable data and the files also included internal notes on the clients, their events and any challenges Amazingco’s staff experienced,” said Fowler.
Researchers said it is unclear how long the customers’ data was exposed online or if anyone had accessed it, however Fowler speculated that the data may have been available for at least a week before the notification was sent.
Inadvertent data exposure continues to plague companies. Just last week, it was discovered that IT services provider HCL Technologies inadvertently exposed passwords, sensitive project reports and other private data of thousands of customers and internal employees on various public HCL subdomains. Also last week, Game Golf app for golfers was also found exposing millions of personal records (in a database also discovered by Fowler).
Recently in May misconfigured cloud databases inadvertently leaked personally identifiable information (PII) in the care of two companies: The Ladders headhunting and job recruitment site, and the SkyMed medical evacuation service. And in April an ElasticSearch database that was left open to the internet exposed about 4.9 million data points of personally identifiable information (PII) related to individuals seeking treatment at an addiction treatment facility, Steps to Recovery.
“This is yet another wake up call for any company large or small who collects customer data and stores it online,” Fowler said. “It does not matter the customers are software users from around the world or small children at a birthday party in Australia, the same data protection and privacy safeguards should be taken.”
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.