Data protection specialists from security firm vpnMentor reported the detection of a data breach on a Romanian web platform, owned by tobacco company British American Tobacco; headquartered in the UK, this is one of the world’s largest manufacturers of tobacco and nicotine-based products.
The vpnMentor research team, led by renowned
expert Noam Rotem, found the data breach on an unsecured server connected to
YOUniverse(.)com, a domain that is part of a marketing campaign targeting
over-18 tobacco users.
This platform collects some records of Romanian
citizens who aspire to win tickets to events, parties and presentations by
local and international artists. Although the laws in Romania prohibit almost
any type of advertising related to tobacco consumption there are some
exceptions, so it is possible for tobacco companies to run marketing campaigns
aimed only at consumers over the age of 18.
By detecting the exposed database, data protection experts not only discovered that multiple personal details were stored, but also found that the unsecured server had already been infected with a ransomware variant.
SOURCE: vpnMentor
Although investigators tried to report the
exposed database on multiple occasions (both to the tobacco company, database
operators and Romanian authorities), the information remained exposed for at
least a couple of months. Finally, access to the database was closed last November
27; however, no organization responded to the report.
Among the main details exposed during the
incident are:
- Full
names - Birth
dates - Phone
numbers - Email
addresses - Some
details about smoking habits
To complete their registration, users had to
enter a code obtained through the purchase of a pack of cigarettes.
SOURCE: vpnMentor
So far data protection experts have been unable
to determine a number of potentially affected users; however, even though
multiple entries in the database are repeated or empty, each daily log has
about 50 million entries, so the scope of this incident could be highly
considerable.
The main security risks for affected users is related
to the malicious use of personal information; a threat actor could be preparing
a spear phishing campaign targeting consumers of these products and, although
the data
breach does not include financial information, some frauds could be
possible using only information such as name and phone numbers. Other companies,
like insurance services, could take advantage of this information, as it is
very common for insurers to raise their rates in the event that a customer is a
tobacco consumer.
This is a perfect example of the consequences
of not properly securing a server, as mentioned by the data protection experts
from the International Institute of Cyber Security (IICS). To avoid such
incidents, we recommend that you take basic security measures such as
implementing authentication for access to any area of the system and proper
configuration of access rules.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
