{"id":2037509,"date":"2024-11-25T10:07:01","date_gmt":"2024-11-25T15:07:01","guid":{"rendered":"https:\/\/securityboulevard.com\/?p=2037509"},"modified":"2024-11-25T10:14:10","modified_gmt":"2024-11-25T15:14:10","slug":"huge-leak-of-customer-data-includes-military-personnel-info","status":"publish","type":"post","link":"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/","title":{"rendered":"Huge Leak of Customer Data Includes Military Personnel Info"},"content":{"rendered":"<p>A company with a California address that runs an online promotional gift platform exposed emails from more than 300,000 customers \u2013 including about 2,500 from U.S. military and government domains \u2013 and has apparent links with China, raising operational and national security concerns.<\/p>\n<p>Researchers with Cybernews in July discovered an Elasticsearch instance belonging to EnamelPins that was unsecured and contained the 300,000-plus emails sente between the company and its customers, with the emails containing such data as full names, other private personal information, and product design documents.<\/p>\n<p>While the Cybernews researchers found the open Elaticsearch instance July 10, it was first indexed on the search and analytics engine on April 22 and \u2013 after \u201cmultiple follow-up emails and submissions to CERT (Computer Emergency Response Team),\u201d <a href=\"https:\/\/cybernews.com\/security\/military-officials-exposed-using-china-linked-promotional-gift-shop-gs-jj\/\" target=\"_blank\" rel=\"noopener\">they wrote<\/a> \u2013 was finally closed by EnamelPins November. 5.<\/p>\n<p>The EnamelPin customers whose information was exposed by the open instance risk being targeted by bad actors with spearphishing and other cyberattacks, with the Cybernews researchers warning that the \u201clong exposure increases the risks of third-party threat actors accessing the data.\u201d<\/p>\n<h3>Popular Gift Service<\/h3>\n<p>EnamelPins, a privately-held company with headquarters in Walnut, California, that has been around for more than five years, runs a gift service \u2013 gs.jj[.]com \u2013 through which civilians, military personnel, and government workers can order such emblematic accessories like soft and hard lapel pins, medals, and patches that Enamel Pins designs and manufactures. According to the company, it has more than 20,000 customers.<\/p>\n<p>About 2.500 of the exposed emails were from .mil and .gov domains and belonged to varying military an government branches. Most of the emails involved orders for products like coins, medals, battalion emblems, and patches.<\/p>\n<p>The researchers wrote that \u201cthe emails and attachments exposed sensitive information about high-ranking military officials. They could be used to determine their position in certain Army units, phone numbers, email addresses, and shipping addresses. The attachments included designs for the emblems.\u201d<\/p>\n<h3>Links to China<\/h3>\n<p>Adding to the troubling exposure of information of civilian and military customers were operational links with China.<\/p>\n<p>Other security issues with the EnamelPins website included leaked information about a Git repository, which are used to virtually store version of a project\u2019s code and tracks changes made to files. In this case, the leaked Git repository information including the configuration, folder, and file structure of the website.<\/p>\n<p>Cybernews researchers said the leaked information appears to have been accidentally upload and left open, revealing the links with China. The information revealed that the website\u2019s source code repository is hosted on a server in China and that its assets are hosted on Alibaba Cloud. The administration login page is written in Chinese.<\/p>\n<p>In addition, they noted that customer support personnel communicate in broken English and that \u201clonger delivery times reflect shipping from China.\u201d EnamelPin\u2019s communications on YouTube notes that it has a \u201ccomplete expert team in China\u201d with a lot of offices and agencies in North America.<\/p>\n<h3>A Tense Time<\/h3>\n<p>The exposure of so much information \u2013 particularly of military and government personnel \u2013 also comes at a <a href=\"https:\/\/securityboulevard.com\/2024\/11\/the-cyberthreats-from-china-are-ongoing-u-s-officials\/\" target=\"_blank\" rel=\"noopener\">time of increasing tensions<\/a> between the United States and China, including ongoing cyber campaigns being run by Chinese states-sponsored threat groups that are using intrusions into the networks of critical infrastructure organizations in the United States to steal data and create a long-term presence in the compromised systems.<\/p>\n<p>\u201cThis leak illustrates how a simple emblem order may become a potential Operational Security failure within the US military and government,\u201d the researchers wrote.<\/p>\n<p>They don\u2019t know where EnamelPins stores customer data, but added that the United States doesn\u2019t have a law similar to the European Union\u2019s <a href=\"https:\/\/securityboulevard.com\/2024\/10\/how-to-automate-gdpr-compliance\/\" target=\"_blank\" rel=\"noopener\">General Data Protection Regulation<\/a> (GDPR) the requires data being stored locally to reduce the risk of exposure.<\/p>\n<p>\u201cDue to the Chinese government\u2019s broad powers to access data, it may be risky for US Government and Military officials to use Chinese services, especially in the official settings,\u201d the researchers wrote. \u201cThis leak raises OPSEC concerns, as ordering patches, emblems, and other items can inadvertently expose ranks, divisions, and personal information.\u201d<\/p>\n<p>They added that instances within Elasticsearch that hold sensitive data need protection through firewalls, authentication tools, and authorization systems.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>EnamelPins, which manufactures and sells medals, pins, and other emblematic accessories, for months left open an Elasticsearch instance that exposed 300,000 customer emails, including 2,500 from military and government personnel. The company, based in California, also has links to China, Cybernews researchers wrote.<\/p>\n","protected":false},"author":20461,"featured_media":2037511,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[230,23406,13571,21858,21028,20984,14089,14098,30205,14097,98631,99462,99461,13418,14096],"tags":[523,12807,104349,82124,14071],"class_list":["post-2037509","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-security","category-blogs","category-data-security","category-sb-featured","category-governance-risk-compliance","category-incident-response","category-network-security","category-sb-news","category-security-awareness","category-sb","category-social-facebook","category-social-linkedin","category-social-x","category-sb-spotlight","category-threat-intelligence","tag-china","tag-elasticsearch","tag-enamelpins","tag-leaked-data","tag-phishing"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v23.9 (Yoast SEO v23.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Huge Leak of Customer Data Includes Military Personnel Info - Security Boulevard<\/title>\n<meta name=\"description\" content=\"EnamelPins, which left an Elasticsearch instance that contained customer data open for months, has links to China, researchers say.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Huge Leak of Customer Data Includes Military Personnel Info\" \/>\n<meta property=\"og:description\" content=\"EnamelPins, which manufactures and sells medals, pins, and other emblematic accessories, for months left open an Elasticsearch instance that exposed 300,000 customer emails, including 2,500 from military and government personnel. The company, based in California, also has links to China, Cybernews researchers wrote.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/\" \/>\n<meta property=\"og:site_name\" content=\"Security Boulevard\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/groups\/24445075146\/\" \/>\n<meta property=\"article:published_time\" content=\"2024-11-25T15:07:01+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-11-25T15:14:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/securityboulevard.com\/wp-content\/uploads\/2024\/11\/ai-generated-8662832_1280-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"770\" \/>\n\t<meta property=\"og:image:height\" content=\"330\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jeffrey Burt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@securityblvd\" \/>\n<meta name=\"twitter:site\" content=\"@securityblvd\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/\",\"url\":\"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/\",\"name\":\"Huge Leak of Customer Data Includes Military Personnel Info - Security Boulevard\",\"isPartOf\":{\"@id\":\"https:\/\/securityboulevard.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securityboulevard.com\/wp-content\/uploads\/2024\/11\/ai-generated-8662832_1280-1.jpg\",\"datePublished\":\"2024-11-25T15:07:01+00:00\",\"dateModified\":\"2024-11-25T15:14:10+00:00\",\"author\":{\"@id\":\"https:\/\/securityboulevard.com\/#\/schema\/person\/f38bb7663c788778985274cf1b68758a\"},\"description\":\"EnamelPins, which left an Elasticsearch instance that contained customer data open for months, has links to China, researchers say.\",\"breadcrumb\":{\"@id\":\"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/#primaryimage\",\"url\":\"https:\/\/securityboulevard.com\/wp-content\/uploads\/2024\/11\/ai-generated-8662832_1280-1.jpg\",\"contentUrl\":\"https:\/\/securityboulevard.com\/wp-content\/uploads\/2024\/11\/ai-generated-8662832_1280-1.jpg\",\"width\":770,\"height\":330,\"caption\":\"military\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/securityboulevard.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity\",\"item\":\"https:\/\/securityboulevard.com\/category\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Data Security\",\"item\":\"https:\/\/securityboulevard.com\/category\/blogs\/data-security\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Huge Leak of Customer Data Includes Military Personnel Info\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/securityboulevard.com\/#website\",\"url\":\"https:\/\/securityboulevard.com\/\",\"name\":\"Security Boulevard\",\"description\":\"The Home of the Security Bloggers Network\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/securityboulevard.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/securityboulevard.com\/#\/schema\/person\/f38bb7663c788778985274cf1b68758a\",\"name\":\"Jeffrey Burt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/securityboulevard.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/securityboulevard.com\/wp-content\/uploads\/2023\/07\/cropped-Jeffrey-Burt-photo-96x96.jpg\",\"contentUrl\":\"https:\/\/securityboulevard.com\/wp-content\/uploads\/2023\/07\/cropped-Jeffrey-Burt-photo-96x96.jpg\",\"caption\":\"Jeffrey Burt\"},\"description\":\"Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He\u2019s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.\",\"url\":\"https:\/\/securityboulevard.com\/author\/jeffrey-burt\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Huge Leak of Customer Data Includes Military Personnel Info - Security Boulevard","description":"EnamelPins, which left an Elasticsearch instance that contained customer data open for months, has links to China, researchers say.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/","og_locale":"en_US","og_type":"article","og_title":"Huge Leak of Customer Data Includes Military Personnel Info","og_description":"EnamelPins, which manufactures and sells medals, pins, and other emblematic accessories, for months left open an Elasticsearch instance that exposed 300,000 customer emails, including 2,500 from military and government personnel. The company, based in California, also has links to China, Cybernews researchers wrote.","og_url":"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/","og_site_name":"Security Boulevard","article_publisher":"https:\/\/www.facebook.com\/groups\/24445075146\/","article_published_time":"2024-11-25T15:07:01+00:00","article_modified_time":"2024-11-25T15:14:10+00:00","og_image":[{"width":770,"height":330,"url":"https:\/\/securityboulevard.com\/wp-content\/uploads\/2024\/11\/ai-generated-8662832_1280-1.jpg","type":"image\/jpeg"}],"author":"Jeffrey Burt","twitter_card":"summary_large_image","twitter_creator":"@securityblvd","twitter_site":"@securityblvd","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/","url":"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/","name":"Huge Leak of Customer Data Includes Military Personnel Info - Security Boulevard","isPartOf":{"@id":"https:\/\/securityboulevard.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/#primaryimage"},"image":{"@id":"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/#primaryimage"},"thumbnailUrl":"https:\/\/securityboulevard.com\/wp-content\/uploads\/2024\/11\/ai-generated-8662832_1280-1.jpg","datePublished":"2024-11-25T15:07:01+00:00","dateModified":"2024-11-25T15:14:10+00:00","author":{"@id":"https:\/\/securityboulevard.com\/#\/schema\/person\/f38bb7663c788778985274cf1b68758a"},"description":"EnamelPins, which left an Elasticsearch instance that contained customer data open for months, has links to China, researchers say.","breadcrumb":{"@id":"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/#primaryimage","url":"https:\/\/securityboulevard.com\/wp-content\/uploads\/2024\/11\/ai-generated-8662832_1280-1.jpg","contentUrl":"https:\/\/securityboulevard.com\/wp-content\/uploads\/2024\/11\/ai-generated-8662832_1280-1.jpg","width":770,"height":330,"caption":"military"},{"@type":"BreadcrumbList","@id":"https:\/\/securityboulevard.com\/2024\/11\/huge-leak-of-customer-data-includes-military-personnel-info\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/securityboulevard.com\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity","item":"https:\/\/securityboulevard.com\/category\/blogs\/"},{"@type":"ListItem","position":3,"name":"Data Security","item":"https:\/\/securityboulevard.com\/category\/blogs\/data-security\/"},{"@type":"ListItem","position":4,"name":"Huge Leak of Customer Data Includes Military Personnel Info"}]},{"@type":"WebSite","@id":"https:\/\/securityboulevard.com\/#website","url":"https:\/\/securityboulevard.com\/","name":"Security Boulevard","description":"The Home of the Security Bloggers Network","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/securityboulevard.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/securityboulevard.com\/#\/schema\/person\/f38bb7663c788778985274cf1b68758a","name":"Jeffrey Burt","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/securityboulevard.com\/#\/schema\/person\/image\/","url":"https:\/\/securityboulevard.com\/wp-content\/uploads\/2023\/07\/cropped-Jeffrey-Burt-photo-96x96.jpg","contentUrl":"https:\/\/securityboulevard.com\/wp-content\/uploads\/2023\/07\/cropped-Jeffrey-Burt-photo-96x96.jpg","caption":"Jeffrey Burt"},"description":"Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He\u2019s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.","url":"https:\/\/securityboulevard.com\/author\/jeffrey-burt\/"}]}},"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/securityboulevard.com\/wp-content\/uploads\/2024\/11\/ai-generated-8662832_1280-1.jpg","jetpack_shortlink":"https:\/\/wp.me\/p91vu9-8y33","_links":{"self":[{"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/posts\/2037509","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/users\/20461"}],"replies":[{"embeddable":true,"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/comments?post=2037509"}],"version-history":[{"count":1,"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/posts\/2037509\/revisions"}],"predecessor-version":[{"id":2037510,"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/posts\/2037509\/revisions\/2037510"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/media\/2037511"}],"wp:attachment":[{"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/media?parent=2037509"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/categories?post=2037509"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/tags?post=2037509"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}