Millions of Peruvian Moviegoers at Risk for Identity Theft, Cybercrime

Millions of Peruvian Moviegoers at Risk for Identity Theft, Cybercrime
Jim Wilson
Posted: January 27, 2020

The research team at SafetyDetectives, led by Anurag Sen, recently uncovered a data leak from Peruvian movie theater chain, Cineplanet. Hosted on a Microsoft Azure server based out of Virginia, USA, there were approximately 14 million login records and over 205 million logs of data. The leak was closed on January 24th 2020.

Millions of Peruvian Moviegoers at Risk for Identity Theft, Cybercrime

What’s Being Leaked?

Internal logs and individual customer data were included in this database, which was being updated and increasing in size daily. The database stored logs from the past month and contained records of users who logged in within that time period. In some cases, there were multiple entries of the same users, and our research team cannot identify the number of unique users without further inquiry.

What’s Being Leaked?

What’s Being Leaked?

What’s Being Leaked?

The extent of customer data visible included:

  • Personally Identifying Information (PII)
  • DNI number (similar to social security number)
  • Email address
  • Phone number
  • Full customer address
  • Marital status and other lifestyle details

Consumer Data

  • Member logins
  • Unencrypted passwords
  • Internal customer/loyalty member ID numbers
  • Customer loyalty points
  • Gift card balance
  • Purchases

PCI Data

  • Partial credit card number (first four and last four digits)
  • Credit card expiration date
  • Affiliated name and ID number
  • Bank reference code
  • Payment amounts
  • Declined or approved status on purchase attempts

Unique Technical Information

  • Device
  • Browser
  • IP address
  • Session logs

Partial credit card numbers (first and last four digits) can still lead to identity theft and fraud by way of providing the necessary information for password resets, which can also lead to account takeovers and access to additional compromising personal data. Alongside this, when you have correlating PII, there are multiple forms of cybercrime possible, even including sim card duplication and subsequent compromised data in a variety of applications.

This data leak also poses a real physical threat to moviegoers. With names and home addresses handy, criminals can stalk or attack potential victims. Combined with purchase history, it is even feasible that burglars and vandalizers will know the exact time their targets will be out of the home, providing a prime opportunity to rob and ruin property.

The utilization of technical device information combined with either personal information and/or movie-viewing history, it is feasible for phishing attacks and malware to be more effective upon the individuals it is perpetrated.

Preventing Data Exposure

How can you prevent your personal information from being exposed in a data leak and ensure that you’re not a victim of attacks if it is leaked?

  • Be cautious of what information you give out and to whom
  • Check that the website you’re on is secure (look for https and/or a closed lock).
  • Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.).
  • Create secure passwords by combining letters, numbers, and symbols
  • Do not click links in emails unless you are sure that the sender is legitimately who they represent themselves to be
  • Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust
  • Avoid using credit card information and typing out passwords over unsecure WiFi networks
  • Find out more about what constitutes cybercrime, the best tips to prevent phishing attacks, and how to avoid ransomware.

About Us

SafetyDetectives.com is the world’s largest antivirus review website. The SafetyDetectives research lab is a pro-bono service that aims to help the online community defend itself against cyber threats, while educating organizations on protecting their users’ data.