Elasticsearch database connection is wrong, PII data for 30,000 students
The misconfigured Elasticsearch database apparently belonged to US software solutions provider Transact Campus.
The SafetyDetectives cybersecurity research team led by Anurag Sen identified a misconfigured Elasticsearch server that exposed data from the Transact Campus application. According to their analysis, the server was connected to the Internet and did not need a password to allow access to the data.
As a result, approximately 1 million records were leaked, revealing personally identifiable information on over 30,000 to 40,000 students.
About Transact Campus
Transact Campus is an American payment software provider headquartered in Phoenix, Arizona. The company offers technology solutions to integrate versatile payment functions into a single mobile platform.
Its software solutions are primarily used to facilitate student purchases at higher education institutions and streamline payment processes for institutions and students.
What was exposed?
SafetyDetectives wrote in the report that the 5GB of database leaked by the server contained details of students with accounts at Transact Campus. Most of those affected are US nationals.
The exposed data included students
- Full names
- Phone numbers
- Email addresses
- Credit card details
- Transaction details
- Login information (username and passwords), etc.
It should be noted that login data, including username and password, was stored in plain text format. On the other hand, the credit card details included the bank identification number, which consists of the first six and the last four digits of the credit card number, banking information and the expiration date of the card. Additionally, meal plans purchased by students and meal plan balance were also part of the leaked data.
Transact Campus Response
SafetyDetectives notified Transact Campus of the exposed database in December 2021, and the company responded after more than a month in January 2022. However, details of the incident were only released last week.
During this time, the researchers made several attempts to contact them and also contacted US-CERT, after which it was secured. Transact Campus claimed the leaked server was not under their control and the data was fake.
“Apparently this was set up by a third party for a demo and was never removed. We have confirmed that the dataset was populated with a fake dataset and did not use any production data.
However, SafetyDetectives claims that the server in question was continuously updated even when it was discovered. They checked the data using publicly available tools and found that it belonged to real people.
Nonetheless, SafetyDetectives and Anurag Sen have a proven track record in identifying and reporting exposed databases and servers to affected parties. Some of their previous reports include the following:
- Natura Giant Cosmetics
- Calgary Parking Authority
- Uganda Security Exchange
- German trading giant Windeln
- Australian trading giant ACY Securities
- Hariexpress Brazilian market integrator
The list continues…
Researchers could not determine whether unauthorized third parties and malicious actors accessed the database before it was secured. If accessed, cybercriminals can target students in various attacks, ranging from scams to phishing and spam marketing, or even perform an account takeover since login credentials have been stored in unencrypted form on the server. .