More Than 1.68 Million Records Exposed Due to Misconfigured University of Chicago Medicine ElasticSearch Instance


There have been massive data breaches recently including the 11.9 million records breach at Quest Diagnostics and the 7.7 million records breach at LabCorp. Now, University of Chicago Medicine reported the exposure of over 1.68 million records.

The ElasticSearch server that store the records was misconfigured removing protections by mistake and giving anyone unauthenticated access over the internet. Because of the misconfiguration, the records of 1,679,993 donors and prospective donors was potentially accessed in the database.

Researcher Bob Diachenko of Security Discovery discovered the exposed database on May 28. Diachenko used the search engine Shodan to search for unsecured databases. Although there has been an alert regarding the large number of exposed ElasticSearch instances and NoSQL databases recently, the researchers of Security Discovery are still finding 5 to 10 massive cases of unsecured databases monthly.

The most recent find was a big cluster that contain 34GB of data. Shodan indexed the data-ucmbsd2 cluster, which makes it accessible online by anybody. The database contained an array of information such as names, addresses, telephone numbers, email addresses, birth dates, gender, marital status, wealth data and present financial status, and information regarding past communications.

Diachenko found out that the information was from UC Medicine and notified the university. Within 48 hours, the ElasticSearch instance was made secure.

UC Medicine has given a statement about the comprehensive investigation by a forensic team, which confirmed no other unauthorized access of the database was detected except for Diachenko’s. Diachenko admitted that he just accessed a few of the records to know where it came from and didn’t download the data. Luckily, there was only a short window of opportunity. Diachenko identified the database a day after Shodan’s indexing..

ElasticSearch instances must be configured to make them only available to an internal network. There must be authentication controls to make certain that only authorized persons get access. Misconfigurations could lead to not just data theft. Hackers could also encrypt databases after installing ransomware or entirely delete all stored information