Thomson Reuters collected and leaked at least 3TB of sensitive data

"Thomson Reuters, a multinational media conglomerate, left an open database with sensitive customer and corporate data, including third-party server passwords in plaintext format. Attackers could use the details for a supply-chain attack.

The Cybernews research team found that Thomson Reuters left at least three of its databases accessible for anyone to look at. One of the open instances, the 3TB public-facing ElasticSearch database, contains a trove of sensitive, up-to-date information from across the company’s platforms. The company recognized the issue and fixed it immediately.

Thomson Reuters provides customers with products such as the business-to-business media tool Reuters Connect, legal research service and database Westlaw, the tax automation system ONESOURCE, online research suite of editorial and source materials Checkpoint, and other tools.

• Media giant with $6.35 billion in revenue left at least three of its databases open
• At least 3TB of sensitive data exposed including Thomson Reuters plaintext passwords to third-party servers
• The data company collects is a treasure trove for threat actors, likely worth millions of dollars on underground criminal forums
• The company has immediately fixed the issue, and started notifying their customers
• Thomson Reuters downplayed the issue, saying it affects only a “small subset of Thomson Reuters Global Trade customers”
• The dataset was open for several days – malicious bots are capable of discovering instances within mere hours
• Threat actors could use the leak for attacks, from social engineering attacks to ransomware

The naming of ElasticSearch indices inside the Thomson Reuters server suggests that the open instance was used as a logging server to collect vast amounts of data gathered through user-client interaction. In other words, the company collected and exposed thousands of gigabytes of data that Cybernews researchers believe would be worth millions of dollars on underground criminal forums because of the potential access it could give to other systems.

Meanwhile, Thomson Reuters claims that out of three misconfigured servers the team informed the company about, two were designed to be publicly accessible. The third server was a non-production server meant for “application logs from the pre-production/implementation environment.”

Full report is available here.

#DataLeak #Misconfigured #ElasticSearch #Plaintext #Password#HumanError #SupplyChain