In the payment card industry (PCI) this philosophy combined with no real liability has led to some amazing laziness in the industry when it comes to security. This has changed recently and liability is now on the store/outlet. The problem is that not all of the data collected out there is covered under regulations like HIPPA, PCI, etc. Personally Identifying Information is barely covered so some companies spend no time at all in protecting it.
Over the last few weeks a number of databases have been found sitting open on the internet for all to see and anyone to grab. Two of these were found by Chris Vickery. We have already reported on the first one, the MacKeeper. This was an open MondoDB which contains quite a bit of personal information, but thankfully no credit card info. The latest one is for the Hello Kitty game. As with MacKeeper, Vickery found the database by using Shodan again. Shodan is a very powerful and dangerous site that can be used to find all sorts of fun stuff with a few simple searches.
If Vickery is to be believed (and there is no reason not to) then the people behind the Hello Kitty game, SaniroTown, have a problem. Their user data base (roughly 3.3 million) is sitting out in the open on the web and can be accessed by anyone. To make things worse there are users under the age of 18 listed in the database. SaniroTown says that they do not allow anyone under 13 to register, but as we all know kids can get around that and even having 13-17 year old users vulnerable is very bad.
For now SaniroTown is saying they are investigating the claims and nothing more. We hope that Vickery and others continue to point out this type of laziness. Maybe it will slowly change the mindset… what was I thinking. The companies in question will just seek to ban Shodan or sue the people pointing out their laziness. It is always better to spend money on lawyers to hide problems than to spend money on fixing them.