AIESEC, a non-profit that bills itself as the “world’s biggest youth-run organization,” uncovered more than four million intern applications with personal and sensitive information on a server without a password. Bob Diachenko, an independent security researcher, found an unprotected Elasticsearch database containing the applications on January 11, a little under a month after the database was first exposed.
The database contained “opportunity applications” contained the applicant’s name, gender, date of birth, and the reasons why the individual was applying for the internship, as indicated by Diachenko’s blog post on Security Discovery, shared exclusively with TechCrunch. The database additionally contains the date and time when an application was rejected.
AIESEC, which has more than 100,000 individuals in 126 nations, said the database was inadvertently exposed 20 days preceding Diachenko’s notification — just before Christmas — as a major aspect of an “infrastructure improvement project.” The database was secured that day of Diachenko’s private exposure.
Laurin Stahl, AEISEC’s global VP of platforms, confirmed the exposure to TechCrunch yet claimed that no more than 40 users were affected.
Stahl said that the agency had “informed the users who would most likely be on the top of frequent search results ” in the database — somewhere in the range of 40 people, he said — after the agency found no large requests of data from unfamiliar IP addresses.
“Given the fact that the security researcher found the cluster, we informed the users who would most likely be on the top of frequent search results on all indices of the cluster,” said Stahl. “The investigation we did throughout the end of the week demonstrated that close to 50 data records affecting 40 users were available in these results.”
Stahl said that the agency informed Dutch data protection authorities of the exposure three days after the exposure. “Our platform and entire infrastructure is still hosted in the EU,” he stated, regardless of its recently relocation to headquarters in Canadia.
Like companies and organizations, non-profits are not excluded from European principles where EU citizens’ data is collected, and can face a fine of up to €20 million or four percent — whichever is higher — of their global annual revenue for serious GDPR violations. It’s the most recent occasion of an Elasticsearch instance going unprotected.
A massive database leaking millions of real-time SMS text message data was found and secured a year ago, a popular message service, and phone contact lists on five million users from an exposed emoji app.