On April 16th I have discovered an unprotected and publicly indexed Elasticsearch cluster that contained 3,376,912 records with personally identifiable information (PII).
Upon closer examination, database appeared to be part of a cloud environment set up whether by a contractor or a data owner itself, which was Fortum Poland, a subsidiary of Finnish state-owned energy company, with data of their Polish customers.
Fortum entered the Polish market in 2003. In the heating and cooling businesses there are three CHP plants and over 800 km of district heating networks, which serve around 360,000 households in the cities of Plock, Wroclaw, Czestochowa, Zabrze and Bytom. The overall electricity generation capacity reaches 233 MW and the heat generation capacity is over 998 MW. In 2019 Fortum had approximately 560 employees in Poland.
Fortum sells also gas and electricity to both: business clients and individual customers. The total number of clients Fortum provides with gas and electricity is nearly 100,000.
Records details included a number of service fields with personal information such as:
- name
- customer address
- phone
- PESEL (national ID number)
- contract details (gas or electricity contract number, annual consumption etc.)
Total number of records doesn’t correspond to the number of people affected as there were records for the same customers but different types of contracts (i.e. gas, heating or electricity), but based on company’s numbers I can assume that Fortum’s total customer base in Poland was exposed.
IP in question was first indexed by Shodan search engine on April 15th, so I have immediately sent a responsible disclosure to Fortum directly and within 24 hours database was secured / shut down.
In response to my request, Fortum provided me with the following statement:
One of our database service suppliers was working on improving the efficiency of document search. As a result of service deployment, the database was not properly secured and thus exposed to uncontrolled leakage of data of our electricity and gas clients. Immediately after we received information about the case, we blocked the access and started internal investigation which confirmed unauthorized access. We informed the GDPR Office, we are fully ready to cooperate with the authorities and follow their guidance regarding possible further steps. At the same time we continue internal investigation.
As I have previously reported, danger of having exposed (i.e. no password/authentication) Elasticsearch instances or similar instances is huge. As an example, after we deployed ES honeypot on 14 Apr and got 24 attacks in less than 3 days. 20 of those were attempts to list clusters and download files. More than 50% of all indexable Elasticsearch clusters are now destroyed by malicious injections, such as Nightlionsecurity worm.
How and why we discovered this exposure
Our goal is to help to protect data on the Internet by identifying data leaks and following responsible disclosure policies. Our mission is to make the cyber world safer by educating businesses and communities worldwide.
Our extensive cybersecurity knowledge lends itself well to searching for and analyzing data leaks. Our due diligence demands that we make every attempt to identify who is responsible and notify them as quickly as possible.
Our hope is to minimize harm to end users whose data was exposed. We take steps to find out what each database contained, for how long it was exposed, and what threats to end users might arise as a result. Our findings are compiled into reports like this one to raise awareness and curb misuse of personal data by malicious parties.