Unprotected dataset of 104 Gb looks suspiciously like Verizon Innovative Learning Schools
Image source – freepik.com
In early September, I discovered a dataset of 104 GB that contained 271,588,696 records. Nearly all of the folders were titled VILS and referenced online learning, students, and other educational keywords.
The records also indicated that these were both development and “QA” which I assume stands for quality assurance.
Upon further research, the only educational program I could find that used "VILS" was the Verizon Innovative Learning Platform (Schools).
Table of Contents:
We can only speculate that this is the same VILS as we think. We have no confirmation of our assumption.
Here is an example of what the exposed folders and records looked like.
Here is an example of admin emails and passwords exposed
The administrative email addresses inside the database were @publicissapient.com.
According to Wikipedia: Publicis Sapient is an American digital consulting company founded as Sapient in Cambridge, Massachusetts, in 1990. According to their website, Publicis Sapient is a "digital transformation company".
It is difficult to understand clearly what that means, but it appears they are a one-stop-shop for digital solutions and business/technology consulting using cloud-based technology.
No one from Publicis Sapient or Verizon responded to our responsible disclosure notice or follow-up message. Public access was restricted the same day we reported it to Publicis Sapient.
It is unclear how long the database was exposed or who else may have gained access to these potentially sensitive records that were accessible to anyone with an internet connection.
Protecting a development environment is extremely important to reduce the risk of an attack or data exposure down the road.
Even though the data may not contain personally identifiable information, there is a treasure trove of records that criminals could steal, such as encryption and access keys, passwords, knowledge of security controls, or intellectual property.
Another risk is cybercriminals could embed malicious code or crypto mining into the project without an organization's knowledge. When the bad guys have a clear understanding of how the platform, applications, or utilities work, this is the first step in planning an attack.
Another helpful security tip is to conduct protective monitoring of any development environment. This could help identify the difference between legitimate and unauthorized access to the environment, so it is important to not only have logging records but ensure that someone is actually reviewing them. In today's work, employees and companies are located all over the world, and teams need access.
We often see mistakes and misconfigurations that expose the entire dataset. I would recommend that any company, which is outsourcing or has remote team members, ensure strict access policies such as 2-factor logins or other additional steps.
According to their website:
Taking responsibility for our shared future means ensuring the benefits of technology are available to all. Right now, millions of students here in the U.S. lack the connectivity, technology, and skills required for success in today's digital economy. That's why we've been working to help foster digital inclusion through a transformative education program called Verizon Innovative Learning. It’s a key part of our goal to help move the world forward for all through Citizen Verizon, our responsible business plan for economic, environmental, and social advancement.
Disclaimer: Our primary goal is always data protection and ensuring that public access to these sensitive records is restricted as fast as possible. We are not implying any wrongdoing by Publicis Sapient, Verizon, their partners, or affiliates, and we are highlighting our findings to raise awareness of best practices and for cyber security education.
Leave a comment