On the morning of 28 May 2019, information appeared about a data leak at the online British business journal Investment Week (investmentweek.co.uk), exposing 330,000 records of user data. The anonymous researchers who noticed the leak reported the details in a Reddit thread.

The vulnerability was discovered on 4 April 2019, and some may wonder why we are learning of this event so late. In fact, the company behind Investment Week – Incisive Media – did issue an announcement on 29 April, but the muted manner in which this was done failed to get any attention.

We got in touch with the researchers to bring you an exclusive report of the details.

The Investment Week leak: what, when, how?

On 4 April 2019, the researchers first discovered an unprotected Elasticsearch node on the Investment Week server. Two weeks later, on 18 April 2019, they probed manually and found a database containing approximately 330,000 unprotected records of sensitive personal user information:

  • Full names
  • Email addresses
  • Subscription information
  • City
  • Phone number
  • Company
  • Country

The database also contained unsalted, md5 hashed passwords. This is considered bad practice in cybersecurity circles because passwords hashed in this way are susceptible to brute-force attacks.

After successfully entering the database, the researchers approached Investment Week on the same day, but only received a response on 25 April 2019. This means the vulnerability existed for at least 21 days, assuming the fix came on the 25th. There is also the possibility (albeit impossible to confirm) that the database was exposed before the researchers initially detected the issue on 4 April.

Response from Incisive Media

Although the announcement on the Incisive Media website states that the situation has been fixed (the information has been removed from the server, an audit was carried out, the passwords were reset), the response is problematic in a number of ways.

Firstly, the window between when the company was informed of the breach (18 April) and when they informed the Information Commissioner’s Office (26 April) exceeds the 72-hour GDPR reporting requirement.

Aside from this legal issue, however, there are several ethical ones:

  • The announcement incorrectly claims that “no other information or data has been involved” in the leak other than the names, email addresses, and encrypted passwords of users.
  • It ignores the inadequate method of encryption.
  • It neither expressly mentions the affected website (investmentweek.co.uk), nor presents the information where users are most likely to see it (opting instead for the parent company website).

The risks

Talented identity fraudsters have been known to wreak havoc using very little personal information. Judged in this context, the Investment Week leak holds a lot of ammunition for various social engineering attacks, such as phishing, baiting, or pretexting. All of these refer to the practice of manipulating people using personal details in order to get more data or gain access to various services.

An important factor to consider is the Investment Week journal user base. This is a specialized publication, aimed at business and finance professionals – people with a lot to lose in terms of money, valuable information, and more. That’s yet another reason why we believe Incisive Media’s handling of the situation to be negligent.

The ethical hackers who noticed the Investment Week leak claim to have information on more vulnerabilities waiting in the pipeline.