- SmallBiz CyberWiz
- Posts
- Are your databases secure?
Do you know what Logezy, APIsec, ESHYFT, Mars Hydro, MyGiftCardSupply, and Sydney Tools have in common?
Nothing?
They all kept a database with sensitive employee and customer information exposed on the internet. In total, 2.8 billion people have had their private data (names, postal addresses, email addresses, phone numbers, government ID information, and sometimes payment and health data) exposed to hackers, criminals, and other people with ill intent.
All people had to do to find these databases was to bring up Shodan (a database search engine, basically) and do a little digging. No password cracking, no vulnerability exploiting. Just search and find.
Digital transformation shenanigans
To make matters worse, this is just the tip of the iceberg - these incidents happened in the first three months of 2025. There were countless others that had done the same thing.
How did it happen?
Years ago, businesses switched to holding sensitive data in the cloud. That means the information is stored on a remote server and can be accessed through the browser or an app. This migration happened as part of the “digital transformation” effort that was all the rage in the mid-2010s.
You’re probably using a lot of cloud services, too. Dropbox, Gmail, iCloud, to name a few.
But what these businesses somehow “forgot” is that - when it comes to securing the data - cloud works on a “shared responsibility” model. In other words, it’s not just the provider’s job to secure the data, it’s also the job of the business.
The service provider is responsible for securing the underlying infrastructure. That includes physical security (protecting data centers, servers, and networking equipment from unauthorized access), infrastructure security (managing and securing hardware, software, and networking components), platform security (ensuring the security of cloud services, including patching vulnerabilities and maintaining system integrity), compliance and certifications (meeting industry standards and regulatory requirements for data protection), availability and reliability (ensuring uptime, redundancy, and disaster recovery capabilities), and network protection (implementing firewalls, DDoS mitigation, and encryption for data in transit).
But it’s the customer’s job - your job - to encrypt the data in transit, to set up proper access management, and make sure you set up a strong password and multi-factor authentication.
Consider this a kind reminder to double-check all your databases and make sure they’re well-protected.
If you don’t secure them, and criminals find the data, they’ll target your customers with malware, phishing, identity theft, and God knows what else.
Then, when researchers find out who leaked the information, the government will target you. This can be particularly painful if you’re holding data on EU citizens - because GDPR. You can expect fines that burn through your wallet since they go up to €20 million or 4% global annual revenue (whichever is higher).
Your customers will drop you. Numerous research confirmed that people don’t trust brands that leak sensitive data and will take their spending elsewhere.
Hackers will always choose the path of least resistance which, in most scenarios, means betting on the mistakes of humans. People tend to forget to set up a password, or 2FA; they also tend to use the same passwords across multiple services, or use weak passwords that can easily be cracked.
Securing a database is simple and can be done in just a few minutes. I strongly suggest you revise your cloud tools. You can also use my cybersecurity checklist to make sure you don’t forget anything.
Until next time!
Sead from SmallBiz CyberWiz