Cyber Incident Victim: Turkish branch of Harvard Business Review
Date:
Sep 2022
Location:
Turkey
Summary
A ransomware attack targeted the Turkish licensee of Harvard Business Publishing after researchers discovered its unprotected MongoDB database containing over 152,000 customer records, including personal details, weakly hashed passwords, payment logs, and employee credentials. Threat actors compromised the database before its closure, exfiltrating data and leaving a ransom note demanding Bitcoin while threatening GDPR violation reports and data leaks. The exposed information risked credential-stuffing attacks, identity theft, and unauthorized access to affiliated systems, with some employee credentials linked to Harvard Business Review domains. Analysis of the provided Bitcoin wallet indicated prior victim payments, though no recent transactions suggested the licensee did not comply. Harvard Business Publishing acknowledged the incident and engaged the licensee, which did not publicly respond.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 16, 2022, Cybernews researchers discovered an unprotected MongoDB instance hosted in Turkey, belonging to Infomag—an independently operated licensee of Harvard Business Publishing responsible for publishing Harvard Business Review and Bloomberg Businessweek in Turkish. The 3.9GB database contained over 19.5 million records, including duplicates and non-sensitive data, with the oldest entries dating back to 2017. It exposed over 152,000 customer records comprising email addresses, names, social media profile links (LinkedIn, Twitter, Facebook), and hashed passwords. While some passwords used the strong bcrypt algorithm, others relied on weak encryption like MD5 or SHA1, making them vulnerable to decryption. The database also included 15 employee records with emails, names, and weakly hashed SHA1-128bit passwords, some linked to Harvard Business Review English (@hbr.org) accounts. Additional compromised data encompassed payment logs with bank names, phone numbers, IP addresses, physical addresses of individuals and companies, and corporate tax numbers. Researchers noted the database's "Admin" indices revealed employee permissions to edit the hbrturkiye.com website, raising risks of unauthorized website modifications or resource access.
Three days later, on September 19, Cybernews confirmed the database had been compromised by ransomware actors before Infomag secured it. Attackers left a ransom note demanding 0.01 Bitcoin (BTC) within 48 hours, threatening to leak the data and report GDPR violations to authorities, which could result in fines or arrests. The note provided Bitcoin purchasing instructions and a wallet address, which had nine historical transactions—five appearing to be victim payments of the exact 0.01 BTC ransom amount. The last transaction occurred on July 31, suggesting Infomag did not comply with the demand. Harvard Business Publishing responded promptly to inquiries, clarifying Infomag’s licensee status while emphasizing the seriousness of the incident and notifying Infomag of Cybernews’ findings. Infomag did not respond to repeated contact attempts. Cybersecurity experts cited in the report attributed the exposure to common misconfigurations in MongoDB instances, noting weak encryption practices exacerbated risks of credential-stuffing attacks, identity theft, and reputational harm to both Infomag and Harvard Business Publishing. The incident highlighted threats from exposed databases, with over 308,000 identified as publicly accessible in 2021.