Data leak at brillen.de: details of the causes
A data leak at brillen.de became known in mid-November. The investigation into the incident provides initial details on the causes.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
In mid-November, it became known that data on more than 3.5 million European customers of brillen.de was freely accessible online. The operator of the service, Supervista, has now largely completed its investigations.
The company has published customer information about the incident on the brillen.de website. At our request, Supervista provided further information. "On August 7, 2024, a misconfiguration of a server port on three AWS-hosted servers at Supervista opened up a potential security vulnerability. An employee had added an entry rule for testing purposes that allowed access via port 9200/TCP, but mistakenly assumed that this security group would only be used for test systems," a company lawyer told heise online.
Unrecognized misconfiguration as the cause
Furthermore, no authentication mechanism had been activated. "After completing the tests, the employee forgot to remove the entry rule again, which allowed external, unauthorized access," the company spokesperson continued.
Videos by heise
Supervista's system had already detected an unusual access from an external IP address on 9 August. The access was blocked immediately. The employee was not aware of the configuration error, which is why the access was not traced back to the open server port. As far as we know today, the access was made by Cybernews, which discovered and reported the open Elasticsearch instance.
The incorrect configuration was discovered and corrected on August 28. "The affected ports were closed and authentication was enabled on the Elasticsearch instances. However, the incident was not reported to management and the data protection officer until October 17, 2024, as employees did not initially classify it as a data protection incident," adds Supervista.
Countermeasures taken
In addition to technically securing the systems, Supervista responded to the IT security incident by revising processes such as network changes, conducting a forensic IT analysis and IT security resilience check, holding employee meetings and briefing and training IT employees on data protection requirements and IT incidents. Further measures and training courses, for example on data protection for all employees, are also on the list. The Google subsidiary Mandiant was commissioned with darknet monitoring with regard to trading with the potentially captured data, but no data misuse has been detected to date. The website brillen.de has been providing information about the incident since October 18 and 30.
According to Supervista, the Austrian data protection authority discontinued the proceedings regarding the incident on October 20. When asked by heise online, a spokesperson for the data protection officer in Brandenburg explained that the authority was still investigating the tip-off. "In the meantime, we have also received a notification from the person responsible in accordance with Article 33 of the General Data Protection Regulation", the spokesperson confirmed, "we have also received complaints from affected persons". As the processing has not yet been completed, it is not yet possible to provide a result.
(dmk)
