The “Professional Association of Diving Instructors” (PADI) has exposed the personally identifiable information of its members after leaving an Elasticsearch server open for access without setting up a password. The cluster contained 2,313,197 records that concern American divers who had been certified by PADI in the past. Researcher Bob Diachenko discovered the leaky server on May 6, 2020, but unfortunately, the first indexing on Shodan happened way back (on April 23, 2020). PADI received the notice and secured the database today, but they have provided no explanations regarding this matter.
The exposed information includes the following details:
Thankfully, the data doesn’t include payment information, although fees are involved in the process of getting certified by PADI. Still, the above information would be useful in the hands of phishing actors, scammers, and identity theft actors. For example, emails claiming that the recipient would need to renew their certification and pay a fee for the process would be a typical case aiming to steal credit card data and also money. Spoofing the PADI website and setting up a convincing phishing one instead shouldn’t be too hard to do for skillful actors.
As Diachenko points out, assuming that the data hasn’t fallen into the wrong hands already would be naive. Typically, these databases are noticed within three days maximum by automated crawlers, are promptly downloaded, thoroughly evaluated by hackers, and eventually used or sold to others. In the best-case scenario, indexable Elasticsearch clusters are now being destroyed by the “Nightlionsecurity” worm at rates as high as 50%. The hacker who’s carrying out these destructive attacks, wiping databases, and trying to put the blame on the Night Lion Security firm has unknown motives. Still, it’s yet another factor to consider nowadays.
Judging from the initial response of PADI, it is unlikely that we’ll see them sending out notifications to the affected individuals. We have asked them directly, and we’ll update this piece if and when we hear back from them. Until that happens, PADI certified divers should beware of any unsolicited email messages or SMS that ask their immediate attention. Also, you should contact PADI and demand to learn more about what information was exposed and if they are willing to offer an identity theft protection service to you now.