More than 260,000 actors have had their personal data exposed thanks to yet another misconfigured cloud server.
Researchers at SafetyDetectives led by Anurag Sen discovered the unprotected Elasticsearch server, which contained 1GB of data, amounting to 9.5 million records.
It apparently belonged to New Orleans-based casting agency MyCastingFile.com, which has recruited actors for Terminator movies, TV show True Detective and other productions.
The “talent profiles” found in the trove included full names, residential and email addresses, phone numbers, dates of birth, height and weight, photographs and vehicle information.
In total, over 260,000 members had their data exposed in this way, including potentially actors under the age of 18, according to SafetyDetectives.
It warned that the leaked email addresses and personal data could be used to send convincing phishing emails impersonating MyCastingFile, in order to trick users into clicking through on malware downloads.
“Photographs provided by users can be harnessed to conduct scams involving facial recognition such as identity fraud, as well as being used to create multiple illegitimate profiles, to carry out what’s known as ‘catfishing’ — the act of luring someone into a relationship by means of a fictional online persona,” it added.
It’s believed the database was exposed since May 31 2020, but the researchers said the issue was fixed following their disclosure.
Pravin Kothari, founder and CEO of cloud security vendor CipherCloud, argued that avoiding misconfigurations in the cloud is increasingly challenging.
“These issues most frequently revolve around a lack of visibility into faulty controls, not a lack of effort,” he added.
“Perhaps the biggest hurdle, even greater than monitoring for risky configurations, as in this case, relates to better management of cloud data itself. We find that organizations are moving so fast to embrace cloud apps and infrastructure that they cannot maintain visibility into all the issues of data protection and access required to prevent subsequent breaches.”