Data Breach at Kingo Energy
About two and a half months ago I came across a completely unprotected CouchDB installation sitting out on the open internet. As usual in my server scouring, no username or password was required for access. Several screenshots of this database are viewable along with this post.
Perhaps the most disturbing part of this breach is the inclusion of hi-resolution photographic images for both the front and back of Kingo customers’ Guatemalan national ID cards. Yes, it appears that, along with photos of the signed client contract, Kingo requires agents to take pictures of a new customer’s national identification card. Kingo then had the gall to store this highly sensitive data in an open, unprotected database that anyone in the entire world could access with a regular web browser.
Just to clarify a few things—It did not take the entire two and a half months to get this database secured. Personally, my Spanish is not great and language barriers can be daunting. Two years of high school Spanish has barely left me able to ask for directions. So, while I did understand that this breach would definitely need to be fixed, I put it on the back burner for a little bit while contemplating the best approach to take in contacting the right people.
Following an unrelated Columbian Government-related data breach, I met a high-level, native Spanish-speaking contact at Symantec. After considering him as a possible avenue to help reach the right people at Kingo, I took action on August 24th and, a few days later, the database became password-protected.
Kingo has not been greatly forthcoming on the exact details regarding which of my attempted breach notifications they received first, so I don’t know if it was my direct English-written email titled “Data Breach Notification,” or perhaps my Symantec contact, or one of the other avenues I attempted. However, Kingo has issued the following response:
[…] Our apologies for the late response but we were working on fixing the issue as a top priority.
Please allow us to tell you a bit about who we are and what we do:
Our mission at Kingo is "turning lives on", by providing a pre-paid solar system service for impoverished communities in Guatemala who lack of electricity. We are working to improve the life quality of many people by providing a solar energy system that provides illumination and positively impacts our customers in several areas such as financial savings, productivity, education, health and security.
As an [sic] startup company we are constantly moving in order to have better and more reliable information systems. This is why we appreciate your inputs related to the recent data base issue reported.
We have taken immediate actions in order to secure the data. We are going to invest the needful resources in order to guarantee the privacy of our customer's personal information.
Thank you again for your inputs, sincerely
This is certainly a very polite response from Kingo. They aren’t trying to call me a dirty hacker. They haven’t tried to blame the breach on a third-party contractor, and they aren’t trying to claim that it’s just a fictitious database. Those are the usual knee-jerk reaction statements I get from companies (which, by my own estimation, are lies about 90% of the time).
Let’s just hope I was one of only a few people to discover this database while it was unprotected and exposed. I know that there are many people actively scanning for exposed CouchDB instances, so, while I was probably not the sole person to find it, I’m crossing my fingers that no one with identity theft in mind grabbed a copy.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Researcher, Chris Vickery.