A cybersecurity blogger recently disclosed his discovery of an unsecured backup containing operational metadata and business logic apparently belonging to Navy Federal Credit Union. The data did not contain customer information or financial data.
Jeremiah Fowler, a freelancer who specializes in discovering and publishing information about leaky cloud databases often containing internal operations-related data rather than personal or sensitive information, disclosed his discovery on Tuesday in a blog post on Website Planet, a creator content site that features a mix of web service reviews, email marketing how-tos and basic writing tips and similar articles.
Fowler said he notified Navy Federal about the exposed database, and the credit union restricted it from public access within hours.
Navy Federal did not immediately respond to a request for comment.
The information in the exposed database included internal users’ (i.e. employees’ or contractors’) names and email addresses. The backup files also included “operational metadata, system logs, and business logic such as codes, product tiers, optimization processes, rate structures, and other data,” Fowler said.
Fowler said it is unclear whether Navy Federal or a third-party contractor owned and managed the data. He also said the database had been exposed for an uncertain period of time.
Most U.S. states have rules that require companies to disclose data breaches to the state attorney general when the data involved rises to a particular level of sensitivity. Specifically, if the breached data contains personally identifying information (PII), often meaning names, Social Security numbers, dates of birth and related identity data, the company must disclose it.
This database exposure does not appear to be severe enough to trigger such a data breach disclosure.
Fowler said that, among the files he saw in the exposed database, he found Tableau workbook documents, which help users connect to data sources and analyze information. They define the structure, data references, calculations and layouts of reports.
Fowler said these files also contained apparent details on connecting to the underlying MySQL databases used to generate the reports as well as key performance indicators (KPI) formulas tied to Navy Federal Credit Union’s financial performance and loan portfolio metrics.
Because banks are required by federal regulations to take a risk-based approach to cybersecurity, data that poses a lesser threat if exposed often does not get the same level of careful handling that customers’ personal data or financial information receives.
As such, this non-sensitive data is more vulnerable to common mistakes and mishandling, and
One of the common vulnerabilities associated with broken access controls are violations of the principle of least privilege, also called deny by default. In these cases, access to data should only be granted to particular roles or users on a need-to-know or need-to-access basis, but instead, it is available to anyone.