AmazingCo, a company based in Melbourne, Australia had an unprotected Elasticsearch database that contained sensitive details of customers and possible leads. The publicly accessible database was discovered by security researcher Jeremiah Fowler. According to Fowler, a large portion of data was related to children’s entertainment and wine tours.
AmazingCo provides services such as hosting children’s parties, date nights and social experiences all around Australia, New Zealand, and in eight states in the US.
The big picture
Fowler indicated the internal notes on events had user reviews linked with personally identifiable data(PII). “A vast majority of the notes that I read were positive and praising the entertainers, tour guides, and experiences. The down side to this is that each of these were connected to the client’s real personally identifiable data and the files also included internal notes on the clients, their events and any challenges Amazingco’s staff experienced,” Fowler wrote in his blog.
Upon being notified about the exposed database, AmazingCo secured the database and its no longer publicly accessible. It is unknown how long these records were exposed online.