Casinos leave Elasticsearch database open exposing data
An unknown number of online gamblers lost more than a few bucks when several unnamed online casinos left an Elasticsearch database open exposing the details of 108 million bets.
Justin Paine, director of trust and safety at Cloudflare, posted the finding on his Twitter page, noting that these instances are now so common that he was ânot even going to write this one up. Just notifying the host.â
The info he did post said there were 108,025,616 bets from a variety of online casinos with the exposed data including first name/last name, billing address, partial credit card info, how much the bet was for and email address.
The casinos involved were not named by Paine, but ZDNet quote him as saying the names found on the server included kahunacasino.com, azur-casino.com, easybet.com and viproomcasino.net.
Industry execs also expressed to SC Media their exasperation with the growing number of misconfigured servers being found, but noted that such poor cyber hygiene is going to start costing companies big bucks.
âCompanies that fail to invest in their own cybersecurity readiness must recognize that the fines they could face for noncompliance with data privacy laws are incredibly expensive â not to mention the cost of losing the trust of their customers,” said Bitglass CMO Rich Campagna. “In fact, Google was just fined $57 million by CNIL, the French data protection watchdog, for failing to comply with GDPRâs transparency and consent laws.â
Part of the investment needs to be spent upgrading security suites to include some measure of automation.
âOrganizations must understand that proper, organization-wide cybersecurity is no longer a human-scale task, and it is mathematically impossible for people alone to constantly monitor and assess all IT assets and infrastructure to stay ahead of 200-plus attack vectors for potential vulnerabilities,” said Balbix CMO Mark Weiner. “Companies must adopt security platforms that leverage artificial intelligence and machine learning to enable security teams to proactively manage risk and avoid breaches.â