Kars4Kids data breach exposed 21 612 records filled with personally identifiable information
The New Jersey-based donation service Kars4Kids has become yet another victim of the data breach that was discovered by Bob Diachenko on November 3. The access to the company's MongoDB database revealed personal information about donors, including their email addresses, donation receipts, links to personal tax information, and other credentials which can be later used to access more sensitive data.
Everything started with the misconfigured database which was placed on a server without any password. However, during the research, Hacken's Director of Cyber Risk found the evidence that he was not the first one who found an unprotected data on these servers. Someone else has already left the ransom note claiming that he or she has already downloaded the data and now is asking bitcoin ransom to give it back without misusing.
This issue raised more attention and more risks, according to Diachenko:
It is unclear how long the data was exposed or how many others gained have access to it before the notification was sent and ultimately secured.
Kars4Kids was informed on the same November 3 via email, but the team gave no response. HackenProof called the charity with the purpose of connecting with IT specialists but received no answer either. However, on November 7 charity contacted HackenProof and pulled the database offline.
Ransom note was found within the database
As already stated, Diachenko found a ransom note beside all the data that was publicly accessible proving that there is a possibility that cybercriminals stole more information. As the report states, anyone with a connection to the internet could have accessed the unprotected database:
In fact, there is clear evidence that cybercriminals placed a ransom note inside their database. We cannot confirm or deny that cybercriminals have downloaded the entire Kars4Kids’ database, but the ransom note provides reasonable suspicion that it is a possibility.
There have been instances how groups of hackers wiped down various databases and demanded victims to pay. In 2017, more than 26 000 MongoDB databases were accessed, and hackers demanded $650 per database. According to the same researcher, 75 000 databases in total were affected that year. The process can be quicker than you think as Diachenko reflects on his previous test conducted in March:
It took only three hours for hackers to identify the database before wiping out its data in just 13 seconds and leaving a ransom note demanding 0.2 Bitcoin.
Late reply from the charity raises more questions about donor data security
After a few days of trying to contact the charity, HackenProof got a response but the process was not easy because the team needed to call various numbers and even ask volunteers to refer them to the right people:
It took 3 hours by phone to reach someone despite telling the volunteers who answer the phones that this is a serious issue and we need to speak with someone in the IT Technology department or senior management.
It seems that the organization has no plan for crisis and data breach management. It is extremely important because every organization should value the security of information and protect the data they collect. Educational programs for their employees could be a strategy that gives better results each year.