Unprotected Elasticsearch database exposes personal information of 3.69 million members of non-profit organization

• The database contained sensitive details such as gender, ethnic information, and home addresses.
• The database remained publicly accessible till July 31, 2019.

An unprotected Elasticsearch database belonging to a non-profit organization exposed over 3.69 million records containing information of its members.

What happened?

On July 26, 2019, security researcher Jeremiah Fowler discovered an unprotected Elasticsearch database containing 5.2 million records including sensitive information on 3.6 million individuals. Upon further investigation, it was found that the database belonged to an organization called Leadership for Educational Equity (LEE).

Despite multiple notifications by the researcher, the database remained publicly accesible until at least July 31st. After a phone call from the researcher with a representative of the organization, the database was finally removed from public access.

It is not clear exactly how long the database was exposed or if any malicious actors accessed it.

What data was involved?

The exposed database contained sensitive personal information of the organization members including:

• Names
• Home Addresses
• Gender
• Ethnicity
• Corps Year
• Prospect Information
• Salesforce ID

The database also contained IP addresses, Ports, Pathways, and storage information that could be exploited by cybercriminals to access the organization's network.

About LEE

Leadership for Educational Equity (LEE) is a Washington DC-based nonprofit organization. LEE is a spin-off organization of Teach for America and it was founded in 2007.