- ZDNet and security expert identify information about 108 leaked wagers
- The data contained identifiable details, including residential address, names, age, and account balance
- Financial data was only partially identifiable
ElasticSearch has reportedly leaked financial information for over 108 million placed wagers, ZDNet, an online media security outlet has reported. This comes on the tail of similar events earlier in November, 2018.
ElasticSearch Fails to Protect Online Casino Players
Security media outlet ZDNet has reported the leaking of information of over 108 million bets from an online casino group, as confirmed by the newspaper’s source, Justin Paine, a security researcher.
Mr. Paine identified breaches in the ElasticSearch server security, with swathes of data left unprotected for anyone poking around to be able to obtain the stored information.
M. Paine’s investigation soon identified unsecured data from online gaming portals, most likely part of an affiliate program that casinos use to boost engagement and spread awareness of their product.
ZDNet and Mr. Paine than proceeded to analyze the URLs, leading to the conclusion that the casino(s) held licenses by the Government of Curacao, an authorized body which grants remote gaming certifications to companies around the world.
Based on the investigation, a lot of sensitive data was readily available to people who knew where to look for it, including: residence, legal names, age, e-mail addresses, IP, account balances, login information and more.
Simple extrapolation would put more people at risk as often, individuals use repetitive passwords for all their online platforms.
Financial Data Only Partially Compromised
Upon completing the investigation, the security outlet and Mr. Paine did draw one positive conclusion – the financial data was only partially compromised, leaving out enough data to conceal with fairly certainty the banking footprint of individuals.
However, having all other personal information would allow users to be exposed to various nefarious activities from third-parties. The developments highlight the risk of playing at offshore and unregulated companies.
Who’s Fault Is It?
The Government of Curacao has long been focusing only on keeping close tabs on land-based casinos, but there have been multiple calls for the company to re-focus its efforts on online gaming institutions as well.
Should proper checks have been carried out, the certified operator would have never been allowed to amass tons of sensitive data, ZDNet estimates. ElasticSearch was in the center of another security breach lately, with Cybercop posting information about 57 million people’s personal details having been leaked.
Meanwhile, the Curaçao’s Gaming Control Board (GCB) has expressed hopes that illegal gaming operators can be brought down sooner. Back in the United Kingdom the UKGC has been issuing stiff penalties to offshore online companies failing to comply with the necessary security and due diligence provisions of their licenses.