Whirlpool Suffers Data Leak – 28.1 Million Records Exposed Drew Wilson | October 30, 2019 Whirlpool is the latest company to suffer a data leak. In all, 28.1 million records of people’s devices were left exposed. If there’s anything we’ve learned over the years, it’s that not all data leaks and breaches are the same. Sure, there is a popular type in which credit cards and personal information get exposed, but not all leaks and breaches are like that. In fact, for something so math-like and logical, you can almost get that sense of inadvertent creativity in all of this. That is certainly the case with what happened with Whirlpool recently. Security researchers noticed some unusual activity in their data monitoring technology. Upon further investigation, they stumbled on an exposed data base leaking personal information. What’s more is that the database was being updated every sixty minutes. As it turns out, the database contained the information of the status of peoples appliances. Whirlpool was collecting information every hour from people’s amenities. From Technadu: This means that Whirlpool is scanning their appliances in very frequent time intervals, checking their internet connection status. If they were online, Whirlpool collected the SAID numbers, model name and number, various attributes, and the customer email. The exposed database contained more than 28.1 million records, which means that the email addresses of that number of people have been potentially compromised. While losing your email address isn’t exactly catastrophic, having this information correlated with other data can lead to phishing attacks and other forms of targeting. Moreover, scanning a device every 60 minutes is a bit too much as a practice, even if it is done on benevolent intentions. The researcher informed the century-old American manufacturer, and they took the database and service instance down the following day. Their official statement came a couple of days later, and it was the following: “Our company was recently made aware of potential security concerns with respect to one of its databases. The database was immediately taken offline and secured. Our investigation showed that 48,000 emails were publicly available – but no confidential information was exposed. We are in the process of reaching out to impacted consumers. Our company appreciated this notification so the issue could be quickly addressed.” What this story does is put the security of IoT (Internet of Things) devices back into the spotlight. How much information is that toaster really collecting while it tells you the weather report for the day? Is that fridge really only there to give you that traffic report every morning as an added bonus? Are you really watching TV or is that TV actually watching you? For the time being, there are many countries that don’t really have any regulations on what devices will and won’t collect. It isn’t until the last decade or so that this is even much of a concern. A toaster is just a toaster. That stove just cooks meals. Your microwave is just a microwave. On top of that, saying a key word in a room to get a computer to answer questions is something that only comes straight out of science fiction (Star Trek to name one prominent example). At this point in time, we are left wondering how long it will take before the government has to step in and lay ground rules for these devices. After all, companies aren’t waiting around for government to think about what the future is like. They are going to try and take full advantage of any regulatory gap to collect personal information to help net them a bigger profit. With the countless data leaks and breaches we’ve seen, such as AutoClerk and Adobe, the private sector is far from perfect in securing data in the first place. Unfortunately, we’re not sure if the government is exactly acting to catch up at this point in time in many jurisdictions. Drew Wilson on Twitter: @icecube85 and Facebook.