Thousands of internet-connected databases contain high or critical CVEs, says report by cloud security biz

After spending five years poring over port scan results, infosec firm Imperva reckons there's about 12,000 vulnerability-containing databases accessible through the internet.

The study also found that of the 46 per cent of 27,000 databases scanned, just over half that number contained "high" or "critical" vulns as defined by their CVE score.

The news might prompt responsible database owners to double-check their updates and patching status, given the increasing attractiveness of databases and their contents to criminals and hostile foreign states alike.

Imperva's chief innovation officer Elad Erez said in a statement: "Too often, organizations overlook database security because they’re relying on native security offerings or outdated processes. Although we continue to see a major shift to cloud databases, the concerning reality is that most organizations rely on on-premises databases to store their most sensitive data."

Erez's company sells cloud security products, so he's not without a dog in this fight. Nonetheless, his assertion that on-premises databases tend to be more vulnerable to attackers than cloudy ones may have some force to it.

• Open-source software starts with developers, but there are other important contributors, too. Who exactly? Good question
• Das geeks hit crowdfunding target: IBM mainframes are coming home
• Microsoft fixes flaw that could leak data between users of Azure container services
• Google plays catch-up with JSON support for distributed RDBMS Spanner

For British database owners and operators, Imperva reckoned that 61 per cent of those it scanned contained at least one vuln, while on average it said there were 37 vulns per database across its UK sample – though if the sample included more than a handful of abandoned DBs (say, a SQL database powering a long-forgotten discussion forum or blog) this could easily skew the average vulns-per-database figure.

"This indicates that many organizations are not prioritizing the security of their data and neglecting routine patching exercises," said Imperva in its report summary, adding that "some CVEs have gone unaddressed for three or more years."

Brazil was the country that came out best in the study, with just 19 per cent of databases containing one or more vulns and an average of 14 per database scanned. The US sat just below the average, with 37 per cent of databases containing a vulnerability and 25 holes per database on average.

"Regional analysis uncovers significant disparities between nations, with countries such as France (84 per cent), Australia (65 per cent), and Singapore (64 per cent) having much higher incidences of insecure databases," concluded Imperva. "However, for countries such as Germany and Mexico, while the number of insecure databases is relatively low, those that are vulnerable are well above the average when it comes to the number of vulnerabilities capable of exploitation."

Unauthorised access to databases by malicious people can have consequences that reverberate for aeons, relatively speaking: the 2015 hack of Slack was behind a wave of forced password resets four years later. Similarly, a UK energy firm called People's Energy confessed that retail and business customers alike had their information stolen by criminals last December.

If you're responsible for one of these common targets for digital criminals, it's worth double-checking you've fully patched it. ®