Panama Citizens Database Breached caused by unsecured Elasticsearch server.
The Panama citizens data has been breached including names, addresses and phone numbers.
The Elasticsearch is a search engine based on the Lucene library. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents and it is developed in Java.
Reported by Bob Diachenko from security discovery said, that he identified a massive bulk of data sitting in an unprotected and publicly available Elasticsearch cluster (hence visible in any browser).
The database contained 3,427,396 records with detailed information on Panamanian citizens (labeled as ‘patients‘), plus 468,086 records with records labeled as ‘test-patient‘ (although, this data also appeared to be valid and not purely test data).
The country total population 40,34,119, it means that approx 85 percent of citizens personal data exposed.
The record contained as following info:
- Full name
- Date of birth
- National ID number (cedula)
- Medical insurance number
- Phone
- Address
- Other info
BOB has reported to CERT Panama and they immediately took action on the report and secured the database within 48 hours.
The state agency believed that the Elasticsearch server does not secure effectively. In November 2018, there are 114 million records of US citizens and companies data were also breached caused by unsecured ElasticSearch database.