Polecat exposed an Elasticsearch server that wasn’t protected with any authentication measures or any form of encryption.
Polecat, a UK-based data analytics company that offers various advanced “data analytics and human expertise” tools to ensure organizations achieve ESG (environmental, social, governance) management success has become a victim of a data breach.
The breach was discovered by Ata Hakcil, the head of Wizcase CyberResearch Team, on October 29, 2020. Polecat was informed about the exposed data, and the company secured it on November 2nd however, details of the breach were only published this week.
Unsecured Server Exposed 30TB of Data
According to Wizcase researchers’ analysis, an unsecured Elasticsearch server owned by Polecat is responsible for exposing nearly 30TB of data on the web. The server wasn’t protected with any authentication measures or any form of encryption. Hence, anyone could access the records stored on that server.
Further probe revealed that the server stored business records dating back to 2007. It contained employee usernames and passwords, more than 6.5 billion tweets, over one billion posts collected from various websites and blogs, and social media records.
Date Exposure a Result of Human Error
Much of Polecat data was public as it collects data on subjects such as politicians, healthcare, COVID-19, racism, and firearms. If the data got downloaded and sold to competitors, it could drastically impact Polecat’s business. Researchers believe that the incident was most likely a result of human error.
“The server exposed some well-protected usernames and hashed passwords belonging to Polecat’s employees. This shows that the company is aware of the security measures required to protect its data and that the server exposure was likely a result of human error,” researchers noted.
Meow Attack Launched Against the Database
Wizcase notified Polecat about the exposed data on October 30 and November 1. However, as it happens with unsecured servers, threat actors abused the server only one day after discovering it.
“It’s important to note that these types of scams/ransoms are usually automated and sent to many open databases,” Wizcase explained in a blog post.
A Meow attack was launched against the database on October 30, 2020 In this attack, the database indexes are replaced with the ‘gg-meow’ suffix that destroys a large amount of data. In Polecat’s case, around half of the company’s records were wiped.
In another wave of Meow attack, more terabytes of data got deleted. Now just 4TB of data remains in the server. Researchers also discovered a ransom note that demanded 0.04 BTC ($550) for data recovery.