Unsecured MongoDB database containing over 200 million CVs exposed

This breach underlines the serious risks of relying on someone else to store your sensitive personal details on-line for an indefinite period. The information can be used, if hacked, for a very wide variety of purposes including home invasion, identity theft and attacks on organizations the individual has worked for. To this data can be added many minor pieces of hacked information, gained from other hacks or bought from other hackers, to produce a more detailed image of a person than the person may be aware of. The dangers are greatly increased because CVs are copied around by email and stored on very vulnerable servers owned by third parties  BRN Ed.

A huge MongoDB database containing over 200 million records with resumes from job seekers in China was left unprotected for at least one week with anyone able to locate it. The size of the cache weighed 854GB. The information exposed this way, 202,730,434 records in total, includes all the details one would expect to see in a resume: personal information (full name, date of birth, phone number, email address, civil status), professional experience and job expectations.


Commenting on the news is Jonathan Deveaux, head of enterprise data protection for comforte:

“In the case of this data breach, or data exposure, the unprotected data was open and available for about a week, according to the report.  Forensics from past data breaches have revealed that outside access to data was typically available for months, and sometimes years.  Therefore, one might say that the owners of this database were ‘lucky’ that the data was only exposed for a week.


Another interesting detail about this data exposure incident is that the personal information resided in a MongoDB database.  A quick view of the MongoDB website states that it is a document database that is highly scalable and flexible.  And it’s free and open source. Does technology that is free and open source mean its unsecured?  NO, but often data protection and privacy are applied *after* the initial objectives are met. This could mean that data is exposed and is unprotected for a while.


It is the responsibility of the administrator of the database, and ultimately the organisation collecting and storing the data, to enact effective data protection and privacy methods.  An 854GB cache of data with 200 million records initially doesn’t seem to be small, however, in the daily workload of an organisation, it is possible that securing this database may have been missed.


No matter what the reason is behind this data exposure, this incident surely points out that any kind of data could be at risk at any given time.  More must be done to consider data protection and privacy at the earliest point of entry into databases, files, and other stored areas, as to minimise exposures of all sizes.”