An unsecured Elasticsearch database exposed the real-time location data for over 11,000 Indian buses online over three weeks. ElasticSearch, an enterprise search engine, provides technology solutions for powering search functions.
According to Justin Paine, the security researcher who discovered the breach, the unprotected server was left visible online without a password exposing real-time GPS and bus route information from 27 Indian transportation agencies via an ElasticSearch server, ZDNet reported.
The server exposed the data of 26 road transport agencies including Kochi Metro Rail Limited. The exposed information included the details like bus license plates, start-stop stations, route names, GPS coordinates, and details of commuters like usernames and emails.
Paine said he discovered the server using search engines for connected devices on December 5, 2018, and after reaching the Indian Computer Emergency Response (ICERT) team the server was secured on December 22, 2018.
“In some cases, the username field appeared to be populated with a user-supplied username, but in other cases, it did appear to be the user’s full name. Some agencies also appeared to log the user’s email address,” Justin Paine said in a media statement.
“I was not able to determine how many unique users had their information exposed as I did not want to run such a resource-intense query on someone else’s server. I can confirm the server was accessible as far back as at least November 30, 2018. It is unclear how long the server had been exposed [before that date] though,” Paine added.
This is the latest data leak caused by the unprotected ElasticSearch servers. In November 2018, the vulnerable Elasticsearch database exposed personal details of 57 million U.S. citizens for almost two weeks. Bob Diachenko, Director of Cyber Risk Research at Hacken, discovered that the unsecured server was left visible online without a password exposing customers’ personal data.
The researcher also stated he found another index of the same database that contained 25 million additional data records holding sensitive information, including names, company details, zip address, carrier route, latitude/longitude, census tract, phone number, web address, email, employees count, revenue numbers, NAICS codes, and SIC codes.