Services Provider to Government Left Database Exposed: Report

2020-02-13 14:18

Granicus, one of the largest IT service providers for U.S. federal and local government agencies, acknowledges that it left a massive Elasticsearch database exposed to the internet for at least five months, but it says the risks involved were low.

Ehrlich says the Granicus database included links to files on websites belonging to the Department of Health and Human Services and U.S. House of Representatives, as well as hundreds of other local government units across the country.

Hansen says the Elasticsearch database that was temporarily exposed accepts changes written to it but does not push them back to the corresponding websites.

The exposed database is not used for the search boxes on government websites, he says.

Troy Hunt, a data breach expert and creator of the Have I Been Pwned breach notification website, says that even if the Elasticsearch database didn't write back to a production database, whomever was using the internal search feature could be at risk if the links in the exposed Elasticsearch database were changed to malicious ones.

News URL

https://www.inforisktoday.com/services-provider-to-government-left-database-exposed-report-a-13716

#database #report