US casting site leaks personal data belonging to 260,000+ actors

Jim Wilson
Published on: July 16, 2020
US casting site leaks personal data belonging to 260,000+ actors

Prominent US online casting agency MyCastingFile.com has leaked a significant volume of private data belonging to more than 260,000 users.

The company behind the site claims to have recruited talent for productions such as NCIS: New Orleans, True Detective, Pitch Perfect and the last instalment of the Terminator series, Terminator Genisys.

Our Security team, led by Anurag Sen, discovered records from over 260,000 users including personally identifiable information (PII) such as both physical and email addresses, phone numbers and sensitive information about distinguishing physical features.

In total, close to 10 million records were leaked, adding up to around 1GB in size.

If referring to server records, it would appear the breach first originated on 31 May 2020 but has since been fixed by the company, following our disclosure.

Who is MyCastingFile.com?

Founded in 2012 by Elizabeth Coulon, Ryan Glorioso and Robert Larriviere, MyCastingFile.com is owned by parent company RLR Innovations LLC, based in New Orleans.

According to RLR, MyCastingFile connects aspiring actors with paid casting jobs commissions by media production companies.

The site allows users to create what it calls “talent profiles” whereby users complete a detailed questionnaire including sensitive personal information including weight, height and ethnicity details.

Crucially, the site also allows children under the age of 18 to use its services, thereby raising the level of required cybersecurity, as well as the potential risks if adequate cybersecurity is not ensured. In its privacy policy, RLR states that its services are reserved for adults only and that all under-18 accounts must be managed by parents, but does confirm that children’s private information is stored on the company’s server alongside adult profiles.

From the data breach, it could have been possible to determine what amount of data belonged to children, although our security team did not carry out a full download or demographic analysis of the available data — first and foremost, for ethical reasons.

What was leaked?

The open Elasticsearch server contained highly detailed records belonging to people applying (or already working) in media production such as films and TV shows.

Number of records leaked: 9,456,433
Number of users affected: 260,000+
Size of breach: 1 gigabyte
Server location: United States (Google Cloud)
Company location: New Orleans, USA

The MyCastingFile leak contained more than 260,000 profiles, including information such as:

  • Full names
  • Residential addresses
  • Email addresses
  • Phone numbers
  • Previous work history
  • Date of birth
  • Height & Weight
  • Identifiable features such as hair length/colour
  • Photographs of some of the users including face and body
  • Clothing fitting information
  • Skin colour & ethnicity/race details
  • GPS coordinates
  • Users’ vehicle information including model, colour and year of manufacture
What was leaked?

Candidate full profile including image address

The information left exposed by MyCastingFile includes full profiles of over 260,000 users including highly sensitive personal information and access to photographs submitted by users as part of their application and casting process. However, it’s important to note that not all users’ photos were accessible because content was hosted at multiple locations including an Amazon S3 server.

What was leaked?

Possible profile of internal employee with MyCastingFile email address

Data Breach Impact

The leak contained several bits of information that could be weaponized by hackers to commit identity theft and fraud, across various establishments and organisations both private and public.

Leaked email addresses could be targeted by sending alternative personal information obtained from MyCastingFile and falsely presented to look like a legitimate response. The combined collection of data creates an engaging approach for hackers and can lead to click-throughs to unsecured websites, malware downloads and virus intrusions.

Photographs provided by users can be harnessed to conduct scams involving facial recognition such as identity fraud, as well as being used to create multiple illegitimate profiles, to carry out what’s known as “catfishing” — the act of luring someone into a relationship by means of a fictional online persona.

User photographs could be potentially compromising, therefore, creating severe anxiety and/or reputational damage for those affected by the breach.

Moreover, availability of sensitive private information such as photographs, videos or even medical information, can all be leveraged by nefarious users to extort and blackmail their targets.

The fact that this breach occurred at a casting agency raises various industry-specific concerns such as famous actors being stalked and people being lured into harmful situations under the pretense of securing a major movie role.

Preventing Data Exposure

How can you prevent your personal information from being exposed in a data leak and ensure that you are not a victim of attacks – cyber or real-world – if it is leaked?

  • Be cautious of what information you give out and to whom
  • Check that the website you are on is secure (look for https and/or a closed lock)
  • Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.)
  • Create secure passwords by combining letters, numbers, and symbols
  • Do not click links in emails unless you are sure that the sender is legitimately who they represent themselves to be
  • Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust
  • Avoid using credit card information and typing out passwords over unsecured Wi-Fi networks
  • Find out more about what constitutes cybercrime, the best tips to prevent phishing attacks, and how to avoid ransomware

About Us

SafetyDetectives.com is the world’s largest antivirus review website.

The Safety Detective research lab is a pro bono service that aims to help the online community defend itself against cyber threats while educating organizations on how to protect their users’ data.

About the Author

Jim Wilson
Jim Wilson
Security Researcher in Safety Detective Research Team

About the Author

Jim has a vast knowledge of computer networks. He is an ethical hacker and Hacktivist and an Open Source developer advocate.