Employee with laptop and blue floating files.
Image: Adobe Stock

A configuration error exposed millions of internal records traced back to Fox News, including personally identifiable information on employees, according to researchers. Per the findings of security researcher Jeremiah Fowler and the Website Planet research team, this included internal Fox email addresses, usernames and employee ID numbers for those using the company’s site.

“A large number of incidents and breaches can be traced back not to aggressive attacks, but rather to simple technical or human error,” said Erfan Shadabi, cybersecurity expert with data security specialists at comforte AG. “In this incident, a configuration error exposed millions of internal records, including PIIs on employees.”

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

How the configuration error was found

This information was made available through a configuration error that led to Fowler and the rest of the Website Planet team discovering a 58GB data set with PII being publicly viewable, including a listing of 65,000 celebrities, cast and production crew members and their internal FOX ID reference numbers. Additionally, Fowler was able to uncover data such as IP addresses, device data and host names through the misconfiguration.

The records labeled ‘prod’, which typically stands for production, led to the cache of user data becoming accessible. The team then uncovered an environment labeled ‘CMS’, or content management system, and did not find that it was a test or demo page that Fox had made available for access, but the actual CMS database itself.

The report notes that 701 internal email addresses being publicly accessible could have led to a targeted phishing campaign should this incredibly detailed user information fall into the wrong hands. The non-password protected and unencrypted database could have also fallen victim to a ransomware attack if found by hacking groups, through direct access to the system’s CMS.

Fowler and the Website Planet research team then sent a responsible security disclosure notice to Fox’s website administrators, who then restricted public access shortly thereafter.

What organizations can learn from this error

To prevent an error of this magnitude moving forward, Shadabi says that organizations should take this potentially dangerous data leak as a lesson on how to prevent errors like this from ending in catastrophe.

“Enterprises should take heed of this very common situation and invest in more effective data protection methods that are readily available in the marketplace, including data-centric technologies such as tokenization and format-preserving encryption,” he said. “These measures guard the data itself instead of the environment around it by replacing sensitive information with representational and innocuous tokens. This data-centric protection travels with the data, so even if data is exposed due to technical or human error, it will be worthless, thereby averting the worst repercussions.”

As noted by Fowler and the rest of the research team, if this sensitive information had been found by one of the many malware or ransomware groups on the internet, it could have led to serious repercussions for Fox as a whole. By using this example of a simple configuration error leading to private information becoming easily viewable, organizations can better understand how easy it is to have one flaw in the system become a disaster in a short amount of time and what can be done to prevent it moving forward.