A Garmin-owned navigation company inadvertently exposed customer information
Navionics, an Italian electronic marine navigation charts company that was recently acquired by Garmin, inadvertently exposed a 19GB product and customer database as a result of MongoDB misconfiguration incident.
The database was indexed by the Shodan search engine on Sept 9th and I discovered it the next day, Sept 10th.
The dataset contained the records of 261,259 unique customers, including email addresses, names in some cases, purchased products IDs, and user IDs.
The database also contained information such as application version and platform used, device ID, longitude and latitude, boat speed, a navigation device, horizontal accuracy, and other navigation details.
As soon as I identified the owner of the data (on Sept 11), I sent a responsible disclosure notification to Navionics, and the data was secured on the same date.
Reached for comment, Navionics stated:
Navionics takes data protection very seriously, and we are grateful that Mr. Diachenko notified us of this misconfiguration using the responsible disclosure model. Once notified, we immediately investigated and resolved the vulnerability. Following our investigation, we confirmed that none of the records or data were otherwise accessed or exfiltrated, and none of the data was lost. Even so, Navionics still notified affected customers via e-mail by October 8, 2018
Luckily, the database remained intact when I discovered it, so this incident should not affect current Navionics customers. I applaud Navionics/Garmin rapid response to the issue, they immediately took down that server upon notification and began investigating.
The main takeaway from this is the importance of security at every stage of your development process. It should not even be argued that your development network must be one of your most secure networks, for it contains your intellectual property. As we learned from this incident, one never knows when transient firewall rules may inadvertently expose your development machines to the public. In this case, it appears to have only exposed some pieces of personal information, but for others, it could be critical intellectual property or even your entire subscriber base that could be exposed.
Director of Cyber Risk Research at Hacken. Email: firstname.lastname@example.org