What are you looking for?
  • /
  • News
  • /
  • Youth-run agency AIESEC exposed over 4 million intern applications
January 21, 2019
80 Views

Youth-run agency AIESEC exposed over 4 million intern applications

AIESEC, a non-profit that bills itself as the “world’s largest youth-run organization,” exposed more than four million intern applications with personal and sensitive information on a server without a password.

Bob Diachenko, an independent security researcher, found an unprotected Elasticsearch database containing the applications on January 11, a little under a month after the database was first exposed.

Create FREE Flipbook.
Get Millions of readers.
It's 100% FREE!

Publish your digital ePaper in 2 Minutes or less. With the FREE service at Yumpu.com.

Start now!Sponsored

The database contained “opportunity applications” contained the applicant’s name, gender, date of birth, and the reasons why the person was applying for the internship, according to Diachenko’s blog post on SecurityDiscovery, shared exclusively with TechCrunch. The database also contains the date and time when an application was rejected.

AIESEC, which has more than 100,000 members in 126 countries, said the database was inadvertently exposed 20 days prior to Diachenko’s notification — just before Christmas — as part of an “infrastructure improvement project.”

The database was secured the same day of Diachenko’s private disclosure.

Laurin Stahl, AEISEC’s global vice president of platforms, confirmed the exposure to TechCrunch but claimed that no more than 40 users were affected.

Stahl said that the agency had “informed the users who would most likely be on the top of frequent search results” in the database — some 40 individuals, he said — after the agency found no large requests of data from unfamiliar IP addresses.

“Given the fact that the security researcher found the cluster, we informed the users who would most likely be on the top of frequent search results on all indices of the cluster,” said Stahl. “The investigation we did over the weekend showed that no more than 50 data records affecting 40 users were available in these results.”

Stahl said that the agency informed Dutch data protection authorities of the exposure three days after the exposure.

“Our platform and entire infrastructure is still hosted in the EU,” he said, despite its recently relocation to headquarters in Canadia.

Like companies and organizations, non-profits are not exempt from European rules where EU citizens’ data is collected, and can face a fine of up to €20 million or four percent — whichever is higher — of their global annual revenue for serious GDPR violations.

It’s the latest instance of an Elasticsearch instance going unprotected.

A massive database leaking millions of real-time SMS text message data was found and secured last year, a popular massage service, and phone contact lists on five million users from an exposed emoji app.

Shodan Safari, where hackers heckle the worst devices put on the internet


TechCrunch



Danielle E.
Hi, I'm Danielle Eubanks! I'm an entrepreneurial and for the past 10 years I’ve been studying the Digital Publishing Landscape and it seemed a natural progression into a “helping” profession.