The Victorian Building Authority has confirmed that it left a 30GB MongoDB instance containing half a million records exposed to the internet.
The database, which was uncovered by security researcher Bob Diachenko, contained “API request logs and practitioners details, such as names, addresses, mobile phone numbers, certificate numbers and more”.
Diachenko said in a LinkedIn post that he had worked with fellow researcher Troy Hunt and the Australian Cyber Security Centre (ACSC) to contact the Victoria Building Authority to secure the database.
The Victorian Building Authority (VBA) is a state-based regulator for builders and plumbers.
In a statement published by Diachenko - and verified by iTnews - the authority said it had “established an incident response team to investigate and contain the breach.”
“The data we understand is now secure,” the VBA said.
“It was exposed to the internet by a third-party vendor without our authorisation. We are extremely concerned with the situation and have taken immediate steps to review all activities involving this vendor.
“We have engaged external providers to assist with a full information security review and risk assessment.
“Although we are very confident that this is an isolated incident, we will undertake a full review of our IT systems and processes to probe for any other areas for concern.”