Navionics parent company Garmin fixed a database misconfiguration that exposed hundreds of thousands of boaters’ information to anyone who knew where to look.
A white hat security researcher — an ethical hacker who scans for security risks — notified Garmin about the misconfiguration in a Navionics backup database by MongoDB, one of the most widely used database providers in the world.
“The security researcher informed us that he accessed the database and downloaded a limited sample of data, which included a small number of customer email addresses and nicknames,” Garmin spokeswoman Carly Hysell told Trade Only Today.
No other customers were affected, Hysell said. “Once notified, we immediately investigated and resolved the vulnerability,” Hysell said. “We confirmed that none of the records or data were otherwise accessed or exfiltrated, and none of the data was lost.”
According to Tech Crunch, Bob Diachenko — Hacken.io’s newly appointed director of cyber risk research — said in a blog post that the 19 gigabyte Navionics database contained 261,259 unique records. The database had customer names, email addresses and navigational information.
“Navionics takes data protection very seriously, and we are grateful that Mr. Diachenko notified us of this misconfiguration using the responsible disclosure model,” Hysell said.
The breach is one of a string of MongoDB-based exposures, Tech Crunch said.
The database was designed to sit behind firewalls and was not automatically password-protected. Since more database are connected directly to the Internet, MongoDB refreshed its software to include a password by default, but many outdated installations are still unsecured, the publication said.
MongoDB databases have been hacked and had their contents downloaded and wiped, then held for ransom.