An unprotected Elasticsearch cluster exposed 3,427,396 records containing sensitive personal information on Panama citizens with "patient" labels, together with another 468,086 records labeled as "test patients".

As Security Discovery researcher Bob Diachenko discovered during his investigation, the data was leaked because the Elasticsearch cluster storing it was not properly configured, allowing anyone with an Internet connection to access it using a web browser.

The publicly accessible Elasticsearch server hosted on Amazon AWS was discovered by the researcher using Shodan and, as historical data provided by the platform showed, the huge cache of sensitive data was first indexed on April 24th, 2019.

Elasticsearch cluster contents

As Diachenko found out, the roughly 3.5 million records contained a wide variety of information, ranging from the "patients" full names, dates of birth, national ID numbers, and addresses to their medical insurance numbers, e-mails, and phone numbers.

While the researcher is still working on checking if there are duplicate patient records, he says that, if there are no patient duplicates in the database, "With Panama total population number 4,1M, the exposed number of 3,4-4,8M records would correspond to almost 90% of the country’s people."

After discovering the unsecured database, Diachenko "immediately sent a notification alert to CERT Panama, and within 48 hours the database has been secured."

Sample record

To make things even worse, the same server also came with an open Remote Desktop Protocol (RDP) which would allow anyone with the password to remote control the server.

As the researcher further discovered using the BinaryEdge internet scanning platform, the server was running a Windows Server 2012 operating system with four active user accounts named Administrator, Prog03, Prog02, and Josh, with the first two being signed in at the moment the server was scanned.

Despite all his efforts, Diachenko was not able to identify the owner of the server and the publicly accessible Elasticsearch cluster seeing that they were not hosted on a custom domain and the database contents did not come with any hints on who was responsible for the leak.

Server RDP login screen

Long list of unsecured ElasticSearch databases

Just this year, misconfigured ElasticSearch databases leaked roughly 33 million profiles of Chinese people searching for a job, over 108 million bets at online casinos exposing the bettors' PII data, and hundreds of thousands of sensitive legal documents labeled as "not designated for publication."

Another 114 million records of US citizens and companies, as well as over 32 millions records of SKY Brasil customers, were also affected by data leaks caused by unprotected ElasticSearch databases in November 2018.

Elastisearch servers should not be exposed to the Internet because they should only be accessed on the internal network, as ElasticSearch's developers explained in a blog post in December 2013.

Elastic also advise Elasticsearch administrators to set passwords for the server's built-in users, to secure the ElasticSearch stack by implementing measures for "encrypting communications, role-based access control, IP filtering, and auditing," as well as to properly configure their ElasticSearch installation.