He discovered this open database, which was part of a cloud setup from either company or its contractors, on April 15th. The company sealed off the database immediately after being contacted by Diachenko but confirms unauthorized access.
Found – Informed – Secured
Fortum Poland is a Finland’s state-owned energy company that’s having CHP plants over 800km area, and serving over 100,000 clients in Plock, Wroclaw, Czestochowa, Zabrze, etc. areas. The company is an active producer of electricity and gas to both individuals and corporates. On April 15th this year, an Elasticsearch scan by Bob Diachenko found a database containing millions of records of Fortum’s customers. The exact records count is of 3,376,912. This number doesn’t necessarily reflect on the number of people affected, as they are customers who’ve been subscribed to multiple services like heating, gas, and electricity. But, the leaked information, which contained the customer’s full name email address, phone number, residential address, PESEL (national ID number), and type of contacts he/she subscribed to. Right after finding this open database, Diachenko responsibly disclosed this to Fortum, and the company has secured the database within 24 hours. The company explained the cause of database leaking is because their service suppliers were working on improving the document search efficiency. And when started an internal investigation, they confirmed unauthorized access! They claim to have informed the GDPR office and continue the internal research. Bob Diachenko says that a number of servers that store such sensitive databases are hosted online improperly. System admins should secure those servers with passwords and other encryption protocols to safeguard their databases. Source: Security Discovery