What The MoviePass Data Exposure Says About CIAM

What The MoviePass Data Exposure Says About CIAM

Yesterday, TechCrunch broke the story on a data exposure by MoviePass. A theater subscription service, MoviePass exposed thousands of customer card numbers and other sensitive pieces on an online database. 

Cybersecurity expert Mossab Hussain of Dubai-based SpiderSilk discovered the exposed server. He informed TechCrunch of his discovery almost immediately. The server contained about 161 million records, most of which consisted of automatic logs for maintenance. However, it also contained 58,000 MoviePass customer cards (which continued to grow as the story broke). 

These MoviePass customer cards function identically to other debit cards. MasterCard issues them, and customers store a cash balance on it. As such, customers can use this balance on the card to pay for movies at the theater at a discounted rate. 

In the exposed database, actual credit card details including credit card numbers, expiration dates, and billing addresses also became exposed. Above all, hackers could easily use the information exposed to enact fraudulent purchases. Some of the cards received protection through masking (only exposing the last four digits). Others did not receive such protection.

Additionally, Mr. Hussain and TechCrunch discovered the server would store email addresses and failed login attempts in real-time. This information remained exposed and unencrypted.  

At the time of writing, it remains unclear whether malicious threat actors discovered the MoviePass exposed server before its discovery. The company did not respond to requests for comment. Unfortunately, MoviePass has experienced other setbacks over the past few months, marked by a significant drop in its subscriber numbers.

What The MoviePass Breach Says About CIAM

When identity security experts discuss customer identity and access management (CIAM), they usually do so in comparison to traditional IAM. For example, CIAM needs to balance security and convenience far more than traditional IAM; customers demand a smooth user experience and faster authentication procedures than employees. Granted, experts report customers tend to abandon their digital carts with unpleasant customer identity experiences. 

However, CIAM must incorporate identity security as well as convenience. Enterprises have a responsibility to securely store your customers’ personally identifiable information (PII) as a consumer-facing business. In fact, because CIAM must provide with the option for less secure logins and maintained sessions, it should emphasize stronger password hashing and storage capabilities. Additionally, it should secure the customer environment whether on-premises or cloud-based. 

Remember, failing to secure your customer’s data adequately can result not only in the loss of revenue and enterprise reputation. You also face compliance failure fines and other serious consequences.       

What the Experts Say About The MoviePass Breach

Kevin Gosschalk

Kevin Gosschalk is CEO of Arkose Labs

Companies must realize that digital commerce is built on data and convenience. Far too often data breaches occur due to companies leaving their databases unprotected, as witnessed last week with the first biometric database breach. Unfortunately, MoviePass suffered a breach because of the same severe lapse of security. 

Consumers trust companies with their data, so much so that they save their payment and personal credentials for future use. They expect their information to be protected by the platform. Technically, this breach can be interpreted as the company giving away customer data for free. Furthermore, the breached data includes personally identifiable information (PII) and payment card information (PCI), leaving impacted customers vulnerable to future fraud or phishing attacks.

Unlike credit cards, debit cards don’t offer the same protection to customers. When a fraudulent transaction occurs on your credit card, you have lost no money and the issue will never impact your bank account. With a debit card, your bank account balance is directly affected from the moment the fraudulent transaction takes place. While the customers can put a hold on their cards, timing is the key in these types of situations. As this database was left publicly accessible, reportedly for months, companies must learn from MoviePass’s mistake and implement a proactive approach to fraud prevention that safeguards their customers’ data.

Robert Prigge

Robert Prigge is President of Jumio

Another week, another data breach. Today’s MoviePass breach is potentially massive in scale given the 161 million record database that was breached. It’s a little bit unclear how many of these records included sensitive consumer data, but what we should all expect is that a healthy chunk of this data will ultimately find a happy home on the dark web. What’s also clear is that KBA (knowledge-based authentication), which relies on the notion of shared secrets, should be heavily scrutinized as a reliable means of authentication. 

Why? Given that more and more of our supposed shared secrets are now available for pennies on the dark web, the job of the fraudster—especially those focused on account takeovers—just got a little bit easier.

Adam Laub

Adam Laub is CMO of STEALTHbits Technologies

There are really two separate, yet closely related components to this story. On one side you have a database rich with sensitive, personally-identifiable information that is readable in plaintext. On the other, you have a misconfiguration that allows anyone with internet access to view that information. Which is worse? 

Had the data been masked, the information would still be accessible, but perhaps not so immediately valuable. If access rights were configured properly and appropriately, this discovery might never have been made and there would be no story in the first place. The right answer is both, as a layered approach to security is the ideal scenario, but either could have conceivably been enough to make this a non-issue. 

While convenient to say in light of this particular situation, organizations of any type or size can drastically mitigate their risk of finding themselves in these types of situations by focusing their time on locating and limiting access to the data attackers would be most interested in, as well as verifying desired configurations are being adhered to across all devices and information assets.

Thanks to our experts for their time and expertise! 

To learn more about CIAM and what it can offer your enterprise, check out our 2019 Identity Management Buyer’s Guide. We cover the top solution providers and their key capabilities. Also, we provide a Bottom Line analysis for each! 

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner