in Breaches

1.1m People – House Mixes & Floor Depot & Emerald Home Improvement, Data Breach

16th August 2020, TurgenSec Limited, Statement v1.0

This data breach occurred when the owner of House Mixes (house-mixes.com) left a database open to anyone with a browser and an internet connection. The owner of House Mixes manages several databases for several companies, including Amber Commercial (Link to Amber Statement – previously disclosed – which impacted 500k UK individuals), Floor Depot, House-Mixes and Emerald Home Improvement, as well as several companies who are now no longer trading, but whose data is still present. 

Table of Contents show

Note: Throughout this disclosure the database management system containing information from House Mixes, Floor Depot, Emerald Home Improvement and several other companies shall be referred to as “DB1”. 

Note: As the owner of House Mixes also manages the database for Amber Commercial, the public disclosure of this breach was held until we released a public statement around the Amber Commercial breach. 

DB1 contained 671 million records, including the personal information of over 1,100,000 individuals, and a large number of headers relating to commercial activities of multiple businesses in construction and music in line with platform data gathering practices. The sensitive headers observed can be found in Appendix A.

TurgenSec acted in good faith attempting to communicate with House Mixes, Floor Depot, and Emerald Home Improvement but did not receive any responses from multiple outreach methods including direct Whatsapp communication with the listed directors and messaging administrators on the HouseMixes platform.

The complete outreach log to House-Mixes and Floor Depot can be found in Appendix B

Heading summary:

Headers relating to the personal information of users of the house-mixes platform as well as headers relating to the functional running and donation system. Headers relating to the commercial and consumer aspects of other businesses in the database including customer and staff information. 

Summary

  • Our security researchers discovered a sensitive open database accessible to anyone with a browser and internet connection during the development of its DataShadow product.
  • We made efforts to identify the owner of this database, and came to the conclusion that it was managed by the owner of House Mixes.
  • We made increasingly escalating attempts to contact those responsible for securing the database in order that they could close the data leak.
  • The company was unresponsive and those we communicated with closed the database after disclosure but then refused to interact with us.

Due to the sensitive nature of the data, which we judged to be of high risk to the rights of individuals involved, our number one priority was to close this security hole.

Since this data had been publicly accessible for a long time, our intention is to ensure the affected individuals are informed of the breach so they can act appropriately to protect themselves.

Disclosure Process

TurgenSec worked in line with its Responsible Disclosure Policy at all times, triaging the database the minimum amount to ascertain whether or not it should be in public domain, and when it was clear it should not be, who its owner was. 

Afterword

Background for Producing an Ethical Framework

One of the biggest problems facing security researchers is a choice between serious effort and potential legal threats while working in the public interest, versus making some money and taking the credit through an alias. This unfortunately is part of the reason certain ‘black hat’ markets boast over a million registered users. In the view of TurgenSec, a world where security researchers are incentivised to make the choices that benefit society is one that we should all work towards.

Ethical disclosures foster further ethical disclosures. Cases where researchers are discredited, abused or worse, end up serving jail time undoubtedly contribute to the culture that has seen the personal data of hundreds of millions of people leaked online. Each organisation that mistreats security researchers reduces the likelihood of future ethical notification to other breached organisations.

Ultimately, for as long as there is no financial incentive to behave ethically, there is little hope of change for the better. Before the introduction of fines under data protection legislation, there were few circumstances in which a company would suffer significant ramifications for leaking their users’ data (and there were no legal obligations to notify). The users impacted would bear the cost of these mistakes, through fraud enabled and enhanced by the data leaked without their knowledge. This lack of transparency was coupled with the fact that the individuals exploited were disproportionately vulnerable people. Previously, responsible organisations were not held accountable. 

With data protection legislation becoming increasingly widespread, GDPR has been a game-changer, allowing individuals far more power than before, and increasing organisations’ accountability for the handling their data. Now that people have the right to claim compensation when their data is mishandled, and the fines are enshrined in European law, individuals and data protection authorities now have real power to hold data controllers and processors to account.

By increasing the responsibility and accountability taken on by organisations handling data will mean significantly better cybersecurity for us all, allowing us to fight fraud (which has risen year on year, and mostly involves exploiting data) on a level playing field, rather than against the tide.

As no internationally accepted set of ethical principles upon which individuals and organizations can be informed of data breaches exists at present, we have based our policies on NCSC advice, the main GDPR principles, the CMA’s definition of public good, and existing standards within other industries, including how breaches of confidentiality are dealt with within the medical industry.

Universal Disclosure Principles

  1. The lawful, timely discovery of datasets containing sensitive information disclosed publicly in error, inadvertently or maliciously.
  2. The protection of the rights of individuals, in particular the right to privacy enshrined in data protection legislation internationally. Privacy is a fundamental human right in accordance with the UN Declaration of Human Rights, we seek to protect it. Organizations that value their privacy and confidentiality protect their employees indirectly through their bottom line, but also personally as they have entrusted their private data to the care and due diligence of their employer. 
  3. Timely and consistent communication with organisations found to be suffering from a security or data breach, however caused. Efforts will be made to make contact with the individuals or organisations affected by the breach in as timely and consistent fashion as possible.
  4. The application of fair and ethical standards, which balance the rights of individuals and organisations. We look to work with organisations to create a more secure digital world where data rights are upheld and the security and correct handling of individuals’ data is performed in a transparent and informative way. 
  5. Transparency with impacted parties as to the extent and content of the information breached.
  6. Adherence to the letter and spirit of legislation protecting personal data and the rights of individuals.

Public Disclosure

Public Disclosure Goals

  1. Bring the breach to the attention of affected individuals, without any semblance of doubt.
  2. Incentivise appropriate behaviour by demonstrating the outcomes when organisations do not act in line with ICO and NCSC guidance.
  3. Raise awareness and scrutiny of data breaches and data security.
  4. Act transparently with the public and involved parties.
  5. Prevent the spread of false information about the nature of the breach.

Why is Public Disclosure important?

The above goals are motivated by the following:

  1. When it is impossible to identify the organisation responsible for the data breach, public disclosure brings more people into identification efforts so that the breach can be resolved.
  2. Where companies eschew their obligations in the run up to, and in the aftermath of, a data breach, Public Disclosure increases awareness of the costs of doing so, a vital contributor to global efforts to ensure appropriate care is taken to secure data and protect the rights of individuals
  3. So that individuals are aware of the dangers of the services they use and are able to more appropriately judge when to share potentially compromising data, and what standard of care to expect from those they entrust with their data.
  4. To earn the trust of the public, and any involved parties, by clearly outlining the truth of what has occured.
  5. Public Disclosure protects individuals being exploited by malicious parties looking to take advantage of the news by providing a ground-truth to the extent of leaked data. Further, it protects TurgenSec and others from bribery, threats, gag orders, manipulation and legal coercion to conceal the existence of or downplay a data breach.

Appendix A – Data Headings as Observed by TurgenSec

HouseMixes Headings

  • AccountID
  • AuthorAccountID
  • Bio
  • ArtistName
  • Email
  • PasswordHash
  • FullName
  • DOB
  • City
  • Gender
  • PostalCode
  • ForumAccountStatus
  • AccountType
  • VerificationCode
  • PasswordResetCode
  • AdminLevel
  • UserAgent
  • UserHostAddress
  • Donations
    • AccountID
    • Amount
    • DateTime
    • TransactionID
    • PaymentMethod
    • TxnID
    • Description
  • Messages
    • FromAccountID
    • Subject
    • MessageBody
    • DateSent
    • OutboxStatus
    • Recepients
      • ID
      • ToAccountId
      • InboxStatus

Emerald Headings

  • Address
  • Age
  • ApiKey
  • AppointmentDate
  • AppointmentId
  • AppointmentStatus
  • AppointmentStatusIds
  • AppointmentWeek
  • AppointmentYear
  • AreaName
  • Attachemnts
  • AttachmentConflictResolution
  • BankAccountNumber
  • BankName
  • BankSortCode
  • BeginDate
  • CallLogs
  • ClientConfiguration
  • ClientId
  • ClientVisibleUrl
  • DateCustomerCancelled
  • DateFinished
  • DateImported
  • DateInstalled
  • Debit
  • DecisionMaker
  • Deposit
  • DepositForFinancePercentCalculation
  • DepositMethod
  • Dob
  • DocumentKeyColumn
  • EMail
  • EmployeeNumber
  • EmploymentType
  • FailedLoginPassword
  • FinanceNumber
  • FinancePercent
  • FinanceSubjectToConditions
  • FinanceSubsidy
  • FinanceTerm
  • FinanceToCash
  • FinanceTotal
  • FriendlyName
  • FromDate
  • FromMonth
  • FromMonthYear
  • FromWeek
  • FromYear
  • FullAddress
  • Gender
  • HasDrivingLicense
  • Identities
  • InterviewDate
  • Invoices
  • InvoiceSum
  • Ip
  • LastLoginDate
  • Lead
  • LeadId
  • LeadSourceId
  • LeadSourceName
  • LeadSourceSubId
  • LeadSourceTypeEnum
  • LeadsShowPaidDataOption
  • Logins
  • Logs
  • MobileNumber
  • Name
  • NiNumber
  • Password
  • PasswordResetCode
  • PasswordResetStatus
  • PhoneNumber
  • Postcode
  • Reason
  • ReasonLeftCompany
  • ReasonNotSold
  • SmtpFromEmail
  • SmtpHost
  • SmtpPassword
  • SmtpPort
  • SmtpUseCustom
  • SmtpUsername
  • SmtpUseSsl
  • TelNumber
  • TextLocalPassword
  • TextLocalUsername
  • Title
  • Username

Appendix B – Outreach to House Mixes & Floor Depot & Emerald Home Improvement:

  • 6th May 2020 –  TurgenSec emailed the email listed on House Mixes website providing them with sufficient evidence to confirm the legitimacy of our claim of a data breach, and our responsible disclosure policy. 
  • 21st May 2020 – TurgenSec emailed the email listed on House Mixes website requesting cooperation and attaching our responsible disclosure policy. 
  • 21st May 2020 – TurgenSec emailed the DPO email listed on Emerald Home Improvements website in line with our Responsible Disclosure Policy as we could not contact HouseMixes who we speculated was the database owner and Emerald Home Improvements was an impacted party. We provided them with enough information to evidence the legitimacy of our claim of a data breach, and our responsible disclosure policy. 
  • 24th May 2020 – A TurgenSec director reached out to the listed director of Floor Depot on Whatsapp in line with our Responsible Disclosure Policy as an impacted party explaining the situation, providing them with our responsible disclosure policy and requesting a phone call. All the messages were seen by the director on whatsapp. 
    • TurgenSec did not get a response.
  • 25th May 2020 – A TurgenSec director reached out to the listed director of Floor Depot on Whatsapp informing them of our next steps, requesting they read our responsible disclosure policy and asking to “work together on crafting a public disclosure” with the intention of informating the impacted individuals that their data had been breached. All the messages were seen by the director on whatsapp. 
    • TurgenSec did not get a response.

Note: Following these Whatsapp messages the database was closed. 

  • 25th May – 5th June 2020 – TurgenSec made multiple attempts to communicate with all the impacted organisations to open a dialog, but received no responses.