On May 11th I discovered a non password protected Elastic database that contained detailed customer records and leads or potential customers. Upon further investigation of the data it appeared to belong to an Australian based company called Amazingco that also offers services in New Zealand and the USA. I sent a notification to Amazingco on the same day the data was discovered. On May 13th I sent a follow up message to to Amazingco and confirmed that the database had been closed and was no longer publicly accessible. No reply or response was given to the previous notifications or the request for comment on May 24th.
The database contained a folder titled “Customers” that contained 174,000 records. These records contained names, email, phone numbers, addresses, and notes about the events. A large portion of these were for children’s entertainment and wine tours. These also included customer feedback in detail and internal notes on specific events. A vast majority of the notes that I read were positive and praising the entertainers, tour guides, and experiences. The down side to this is that each of these were connected to the client’s real personally identifiable data and the files also included internal notes on the clients, their events and any challenges Amazingco’s staff experienced.
- This was an Elastic database set to open and visible in any browser (publicly accessible) and anyone could access customer data without administrative credentials.
- 212,220 records in total including many user names, emails, phone numbers, internal notes, and other sensitive details
- IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper in to the network.
According to their website:
“Over 35,000 experiences delivered. That’s over ONE MILLION happy organizers and joyful attendees!”
It is unclear how long the customer data was exposed online or who may have had access to it. It appears to have been last indexed on Mon, 06 May 2019 and I discovered and reported the data on May 11th. We can speculate that the data may have been available for at least a minimum of 6-7 days before the notification was sent. This is yet another wake up call for any company large or small who collects customer data and stores it online. It does not matter the customers are software users from around the world or small children at a birthday party in Australia, the same data protection and privacy safeguards should be taken.
Amazingco is based in Melbourne, Australia. It is unclear if this data incident was reported to users who may have been affected or the authorities. The Australian data privacy regulations (Notifiable Data Breach Scheme) provides for some mandatory minimum limitations for “Australian Government agencies, businesses and not-for profit organizations that have an annual turnover of more than $3 million. Despite several attempts and a request for comment regarding this data incident, Amazingco has not responded or commented on the data incident at the time of this publication.