Module Code & Module Title

CS5052NI – Professional Issues, Ethics and Computer Law

Assessment Weightage & Type

60% Individual Coursework

Year and Semester

2021-22 Autumn
Student Name: Simran Pakhrin Tamang

London Met ID: 20049054

College ID: NP01CP4S210278

Assignment Due Date: May 12th, 2022

Assignment Submission Date: May 12th, 2022

I confirm that I understand my coursework needs to be submitted online via Google Classroom under the relevant module page
before the deadline for my assignment to be accepted and marked. I am fully aware that late submissions will be treated as non-
submission and a mark of zero will be awarded.
PROFESSIONAL ISSUES, ETHICS, AND COMPUTER LAW CS5052NI

Table of Contents
Introduction: .................................................................................................................................... 2

Scandal Background: ...................................................................................................................... 4

Legal issues ..................................................................................................................................... 7

Social issues .................................................................................................................................... 8

Economical loss .......................................................................................................................... 8

Affected its market value and reputation .................................................................................... 8

Loss of Public Trust: ................................................................................................................... 8

Ethical issues ................................................................................................................................... 9

Utilitarianism .............................................................................................................................. 9

Deontology:................................................................................................................................. 9

Professional issues ........................................................................................................................ 10

Privacy and Data security violations: ....................................................................................... 10

Inadequate asset management: .................................................................................................. 10

Took time fixing the Vulnerability: .......................................................................................... 11

Conclusion .................................................................................................................................... 12

References ..................................................................................................................................... 13

Table of Figures
Figure 1: Elasticsearch logo ............................................................................................................ 4
Figure 2:data breaches .................................................................................................................... 6
Figure 3: Data Privacy .................................................................................................................. 11

20049054 1
PROFESSIONAL ISSUES, ETHICS, AND COMPUTER LAW CS5052NI

Introduction:

Digital technologies, such as the internet, electronic libraries, and electronic mail, have the
potential to improve worldwide efficiency in the areas of communication, learning, and
commercial trade. Digital technology, on the other hand, creates a plethora of chances for global
errors, such as a significant rise in paper production. Internet users can now copy, save, transport,
filter, and analyze massive amounts of data in a tenth of the time. It took digital technology to
substantially enhance efficiency. Cloud computing, like e-commerce, is among the most ill-
defined technical terms ever. (Kristene, 2012).

Cloud computing is now regarded as a novel technology that must be adopted because of digital
transformation. While cloud technologies have many advantages, improper use can have serious
consequences. Failure or refusal to understand the security implications of this technology can
have disastrous consequences for the business. Is there only one way for a site to be compromised?
Not at all. The components of a domain controller can be publicly released in a variety of ways—
login details being stolen, cybercriminals permeating processes, or even an industry expert
breaching from inside a safe setting on its own. The most popular is when a database is left
available on the internet with no security (with or without a password), allowing anyone to access
the information. (Russell, 2017).

So, if this is the scenario, there is a lack of understanding of Elasticsearch encryption techniques
and what organizations are anticipated to do when safeguarding sensitive information.

To begin answering these questions, one must first recognize what Elasticsearch is. Elasticsearch
is an open-source lookup and analytics engine that also serves as a data store. Elasticsearch is a
handheld, high-quality search engine that businesses configure to enhance the data initialization
and discoverability of their web applications. Whether a corporation has a thousand or a billion
precisely defined snippets of information, Elasticsearch allows them to browse through massive
amounts of information and run arithmetic in a single glance. Elasticsearch is a cloud-based server,
but business owners can also use it natively or in conjunction with some other cloud storage
service. Unlike standard database systems, which store information in tables, Elasticsearch stores
items in a primary value store and is far more flexible. It can conduct queries that are far more

20049054 2
PROFESSIONAL ISSUES, ETHICS, AND COMPUTER LAW CS5052NI

complicated than those found in standard databases, and it can do so at a petabyte scale. We'll look
at the benefits and drawbacks of operating an Elasticsearch network at the scale below.

Benefits:

• Detecting anomalies may require searching for patterns across a large range of
measures and quantities.
• Elasticsearch is a strong networked infrastructure that handles queries and data
processing in the background.
• It’s easy to maintain and scale.
• Elasticsearch has released a new Elastic Cloud SaaS service that is simple to deploy,
establish, and scale, and has all the functionality you'd expect.
• Elasticsearch includes additional security that separates data from dashboard
accessibility.
• Easy to install. (Traykov, 2021).

Drawbacks:

• Free or self-hosted websites can be a nightmare to maintain. It's prone to losing data
whenever it breaks.
• Although the information is sometimes extensive, certain elements appear to have gaps.
packetbeat, for example, does not mention industry standards for DNS logging, so I
had to look elsewhere for a solution.
• Pricing: The free version is fantastic, but the computer teaching materials, intrusion
prevention, and other features require a hefty upgrade. (Nath, 2020).

Elasticsearch aims to start small and scale up as your company grows. It's already set up to
represent the prediction. Simply add additional nodes as needed, and the cluster will reconfigure
itself to take full advantage of the hardware resources. It is becoming increasingly dynamic, and
textual content statistics versions will be released soon. It will eventually create a new generation
in the fields of thorough search and computational linguistics.

20049054 3
PROFESSIONAL ISSUES, ETHICS, AND COMPUTER LAW CS5052NI

Figure 1: Elasticsearch logo

Source: (Zacharylmink, 2019)

Scandal Background:
A data breach occurs when private information is accidentally or intentionally exposed to
unauthorized individuals. Data has become one of the most important aspects of an organisation
in the digital age. Organizations face considerable risks from data leaking, including substantial
brand damage and monetary loss. Data loss detection and prevention has become one of the most
serious security challenges for businesses as the quantity of data increases larger and data breaches
occur more frequently than ever before. Despite several research efforts aimed at preventing the
disclosure of sensitive information, it remains an active research problem. This review provides
information on enterprise data breach dangers, recent data leak instances, various state-of-the-art
prevention and detection approaches, new difficulties, and prospective solutions for interested
readers. (Long Cheng, 2017)

Elasticsearch is frequently covered in the media, and most often just for negative purposes. Every
week, it seems, a news article about an Elasticsearch server has been compromised, invariably
culminating in piles of data being revealed. The information was leaked from an Elasticsearch
server that was left available on the internet without the need for an encryption key. (Russell,
2017).

20049054 4
PROFESSIONAL ISSUES, ETHICS, AND COMPUTER LAW CS5052NI

ZDNet reported in January 2019 that an internet gambling team revealed documents on more than
108 million bets, including private details, certificates of deposit, and redemptions. The
information was obtained from an Elasticsearch server that was left on an internet site without the
need for an encryption key. Unexpectedly, it contained a huge database of previously compromised
customer data spanning the years 2012 to 2019. According to ZDNet, it is hard to say how long
the server was left available on the internet, how many users were hindered, if anybody made
available the leaky server, and if clients were alerted that their personal information was outed.

Numerous Elasticsearch database breaches have been found, but this is one of the largest to date.
A U.K.-based security company unintentionally exposed its "Data Breach Database," which stored
massive information-related security incidents from 2012 to 2019, without data encryption,
exposing approximately 5,088,635,374 records (more than five billion). The user data included
actual names, personal details, telephone numbers, email addresses, dates of birth, site login
information, current accounts, network connections, search engine and OS specifics, last login
details, and a collection of played games, according to Justin Paine, the security consultant who
revealed the domain controller.

Elasticsearch services allegedly managed to expose thousands of people's and organizations'

secured private details. The most current network breach happened when Bithouse, Peekaboo's
app developer, left the Elasticsearch network accessible, exposing more than 70 million log files
plus approximately 100 Gigabytes of data going back to March 2019. Comprehensive device
information links to visual content and about 800,000 email addresses were among the information
disclosed.

Cybersecurity researchers discovered an unsecured server with 1.2 bilelasticlion entries of private
information. The Elasticsearch server was discovered by prominent cybersecurity specialists
Vinny Troia and Bob Diachenko, who quickly determined that the data had been obtained by a
data enrichment company. This would justify the breach's massive scope, which included 622
million unique email addresses, social networking site profiles, contact information, employers,
and even job descriptions. The database was knocked offline within an hour after Diachenko
quickly issued a vulnerability notice. (SelfKey, 2021).

20049054 5
PROFESSIONAL ISSUES, ETHICS, AND COMPUTER LAW CS5052NI

Although it's unclear how far back the data goes, anyone who places wagers on these sites
takes place with their victory and loss statistics publicly disclosed, potentially exposing them to
abduction. There's no proof that the content has fallen into the hands of the wrong people, which
isn't very consoling to poker players whose data may be included in the cache, as there was with
the VOIPo data leak. Paine reported that the data had been removed, albeit it is unknown whether
it was done by the organization involved (or companies) or web host OVH. (Dunn, 2019).

Elasticsearch servers have long raised security issues. Since there are no credential safeguards or
firewalls, analysts say the breach happens due to the lack of built-in precautions. Elasticsearch's
advice on how to save their platforms includes safeguarding verified sign-in, adequate encrypting,
multilayered security, and audit tracking.

Figure 2:data breaches

20049054 6
PROFESSIONAL ISSUES, ETHICS, AND COMPUTER LAW CS5052NI

Legal issues

The most obvious way that governments have introduced this legal obligation is by adopting
breach notification laws, which force businesses to inform clients if a breach happens. These laws
are based on the community right to know (CRTK) requirements in environmental legislation.
When implemented for security breaches, the CRTK model would notify users and allow them to
take the required actions to safeguard themselves against data theft. The concept would also
incentivize businesses to strengthen their existing cybersecurity and prepare for possible breaches.
Opponents of CRTK laws, on the other hand, argue that incentives are disrupted. For example,
companies may be hesitant to share facts that could be used against them in the future.

These theories are crucial to investigate since the penalties in each jurisdiction for failing to notify
data breaches may not be sufficient to encourage individuals to report data breaches. For example,
Evani only carries a total fine of $50,000 per occurrence, with the possibility of a $50,000 fine
being limited yearly irrespective of the number of offenses. Some states impose harsher sanctions,
while others impose none. Considering that the fines in many jurisdictions are minor (for the
corporate world), these regulations may not be sufficient to persuade businesses to report security
breaches. Considering this, it is critical to investigate the legislation's performance.

These theories are crucial to investigate since the penalties in each jurisdiction for failing to notify
data breaches may not be sufficient to encourage individuals to report data breaches. For example,
Evani only carries a total fine of $50,000 per occurrence, with the possibility of a $50,000 fine
being limited yearly irrespective of the number of offenses. Considering this, it is critical to
investigate the legislation's performance.

After all of this study, there is still no evidence about any specific laws governing Elasticsearch
for this, not for a specific cause for a country, but this data breach caused by this server.
Elasticsearch servers have long raised security concerns. Because there are no credential
safeguards or gateways, analysts say the breach occurs due to a lack of constructed precautions.
Safeguard verified sign-in, adequate protection, multilayer security, and inspection logging are all
advice made by ElasticSearch on how to secure their servers.

20049054 7
PROFESSIONAL ISSUES, ETHICS, AND COMPUTER LAW CS5052NI

Social issues
This part of the CW defines how this scenario affects society. Despite the current emphasis on data
security, data breaches have remained a persistent problem. Malicious hackers seem to be
becoming increasingly competent at identifying new ways to obtain access to critical information
as networks are becoming more protected and powerful. Even though most businesses are aware
of the increasing number of data breaches, many are still unprepared and have not adopted the
fundamental security procedures designed to stop a cyber-attack. Let's look at the primary
implications and what happened after the data breach.

Economical loss:

One of the most direct impacts of a data breach is the economic cost to a business. Ransomware,
which is when criminal individuals attempt to keep corporate data captive until they receive
money, is among the most popular extortion strategies right now. Elasticsearch leaked information
on more than 108 million bets. (Meta Compliance Marketing Team, 2020).

Affected its market value and reputation:

Data breaches at a company are rarely what clients want to hear about. Data breaches of
Elasticsearch spread quickly and gain negative publicity, along with a reduction in customer
perception, which can be costly to a firm. Harmed its image because of a data breach that’s
influenced the company's existing customer connections, including its capacity to recruit potential
subscribers and workers. It means it has lost a significant number of crucial activity elements that
define the organization's economic viability and prosperity, such as willingness to invest, license
to operate, and benefit of the doubt. (Cyber Awareness, Data Security, 2021)

Loss of Public Trust:

The safeguarding of client information is in jeopardy, and it is also hypothesized that PDB hurts
consumer behavior by decreasing both acceptance and participation in advertisements. Elastic
search exposed all the sensitive information of clients which would harm the people. They used
other’s people emotions for their benefit or their use. It also affects customer mentality by raising
security worries and psychological breaches while simultaneously lowering trustworthiness. The

20049054 8
PROFESSIONAL ISSUES, ETHICS, AND COMPUTER LAW CS5052NI

level of distrust is much higher among those who believe they were affected by the incident, with
over half of those surveyed saying they no longer trust Elasticsearch with their data. (Lulandala,
2020).

Ethical issues
When a judgment, circumstance, or action conflicts with a society's moral standards, ethical
dilemmas arise. Private interests might be entangled in these conflicts since any of their
operations could be questioned on ethical grounds. Groups and individuals are both affected by
these challenges in their interactions with one another and with enterprises.

Utilitarianism
Utilitarianism is an ethical theory that focuses on results to determine what is good and what is
bad. It's a variation of consequentialism. According to utilitarianism, the most ethical decision is
something that will lead to the greatest good for the largest number of people. It is the only ethical
framework within which military force or conflict may be justified. Because of the way it involves
methods, it is also the most standard technique of human morality utilized in business. (Ethics
Unwrapped, 2018)

Elasticsearch did not apply utilitarian philosophy because it does not improve humanity. Millions
of individuals were affected, lives were jeopardized by the risk of information getting into the
wrong hands, employees had to labor in continual fear of being dismissed, and they were
compelled to operate in an unethical environment where many people were defrauded.
Elasticsearch's working method would be rejected by Utilitarianism because it does not promote
happiness or do any good for society.

Deontology:
Deontology is an ethical system that relies on principles to determine what is right and what is
wrong. Immanuel Kant, the philosopher, is commonly used in conjunction with deontology. "Don't
lie, Don't steal, Do not cheat." Kant thought, and other universal moral truths guided ethical
behavior. "Do not cheat." Unlike act utilitarianism, which evaluates actions based on their
outcomes, deontology does not require a cost-benefit analysis of a circumstance. Because you

20049054 9
PROFESSIONAL ISSUES, ETHICS, AND COMPUTER LAW CS5052NI

simply have to obey clear guidelines, you avoid subjectivity and unpredictability. However, if the
guidelines are followed, the outcome appears to be risky.

Elasticsearch's actions would be considered unfair by Deontology because it did not follow any of
the deontological rules. Elasticsearch needed to be clear and accountable, but they lied, stole, and
defrauded millions of people. Elasticsearch disobeyed the norm and was unconcerned about
discretion and uncertainty. (Ethics Unwrapped, 2018)

Professional issues

Data privacy, also known as system confidentiality, is a subset of data security that deals with the
appropriate protection of sensitive data, such as private information but also other private
information like accounting transactions and copyright data, to comply with these requirements
and maintain the data's privacy and security and unlikability.

Privacy and Data security violations:

Elasticsearch caused a huge data breach in 2019. More than 108 million bets were disclosed by
an internet casino business. The organization disclosed information about individual personal
data, transactions, and purchases. The information was obtained from an unprotected internet
Elasticsearch server. This recent data leak demonstrates the need of employing simple security
measures. It still needs the appropriate password/username combination, even if you have
complex firewalls and encryption solutions. (EM360 TECH, 2020)

Inadequate asset management:

When the breach was discovered, firm officials were unaware of the magnitude of the problem.
Elastsearch had a large IT staff and the ability to successfully tackle the situation. If they had
patched the system's vulnerability after receiving information from the ZDNet, the intrusion could
have been averted. However, data leakage was caused by poor monitoring and appraisal of the
problem.

20049054 10
PROFESSIONAL ISSUES, ETHICS, AND COMPUTER LAW CS5052NI

Took time fixing the Vulnerability:

ZDNet reported the vulnerability, which resulted in an Elasticsearch breach. Exception handling
flaws are used in this vulnerability. The information was obtained concerning some characteristic
server that was left unprotected online. Bob Diachenko, a security researcher, identified the leaking
database, which held massive Elasticsearch data. He was able to authenticate a few of the most
well-known security incidents, all of which were taken out of service within about an hour of
delivering a security notice.

Elasticsearch harmed the privacy of millions of people and broke the law, demonstrating that the
corporation is unprofessional. Use of Company Technology that is Open to questioning
Elasticsearch, although being one of the world's largest organizations, was unable to manage its
cyber security vulnerabilities and repair the vulnerable system, rendering
Elasticsearch unprofessional and resulting in questionable use of company technology.

Figure 3: Data Privacy

20049054 11
PROFESSIONAL ISSUES, ETHICS, AND COMPUTER LAW CS5052NI

Conclusion
To summarize the coursework, as the goal of this research was to consider the social, legal, ethical,
and professional issues surrounding the 2019 Elasticsearch data breach, judgments could not be
drawn based on what was discovered. The Elasticsearch security breach was unparalleled at the
time, and it handled the most complicated data leak ever. The breach was caused by an internet
gambling team leaking documents on more than 108 million bets, including private information,
deposit certificates, and redemption.

As a result, it's essential to understand that, in the case of Elasticsearch, just because a service is
free and massively scalable doesn't imply users can ignore basic security guidelines and
arrangements. This could be due to the extensive false assumption that security obligations are
instantaneously transported to the cloud service provider. This is a mistaken premise that
frequently leads to malfunctioning or under-protected servers. Cloud security is a joint
responsibility of the group's security team and the cloud service provider; however, the
organization must complete the required thorough research to customize and ensure security in
every corner of the system correctly to alleviate any risks involved. (Russell, 2017)

Elasticsearch's participation within those instances is a result of the accessible searching tool's
immense popularity. What should concern us is this has been occurring quite frequently nowadays.
These revelations are likely to associate the links between hackers and dozens of millions around
the world. Independent researchers discovered all the unencrypted information using technologies
that anybody, including cybercriminals, can use. That is the crucial point: the issue of accessible
Elasticsearch information has now become out to the public, and people for various reasons are
searching for it. (Dunn, 2019)

Focusing on what's been made clear this far, those who want to use cloud-based databases must
do the required research to set up and ensure the security of every component of the process.
Furthermore, this requirement is frequently neglected or dismissed.

20049054 12
PROFESSIONAL ISSUES, ETHICS, AND COMPUTER LAW CS5052NI

References
Cyber Awareness, data Security, 2021. Kyber Security. [Online]
Available at: https://kybersecure.com/what-are-the-consequences-of-a-data-security-breach/
[Accessed 12 May 2022].

Dunn, J. E., 2019. Naked Security. [Online]

Available at: https://nakedsecurity.sophos.com/2019/01/23/100-million-online-bets-exposed-by-
leaky-database/?utm_source=Naked+Security+-+Sophos+List&utm_campaign=1292cec4cf-
Naked+Security+daily+news+email&utm_medium=email&utm_term=0_31623bb782-
1292cec4cf-455417261
[Accessed 11 May 2022].

EM360 TECH, 2020. EM360. [Online]

Available at: https://em360tech.com/data_management/tech-features-featuredtech-news/top-10-
2019-data-
breaches#:~:text=Another%20massive%20data%20breach%20in%202019%20was%20that,abou
t%20personal%20customer%20information%2C%20withdrawals%2C%20and%20deposits%20t
oo.
[Accessed 12 May 2022].

Ethics Unwrapped, 2018. Ethics Unwrapped. [Online]

Available at: https://ethicsunwrapped.utexas.edu/glossary/deontology
[Accessed 12 May 2022].

Long Cheng, F. L. a. D., 2017. Enterprise data vreach:cause, challenges, prevention and future
direction, Virginia: John Wiley & Sons.

Long Cheng, F. L. a. D., 2017. WiresOnlinelibrary. Enterprise data breach: cause, challenges,
prevention, and future direction, 7(September/October), p. 9 of 14.

Lulandala, E. E., 2020. Strategic System Assurance and Business Analytics. 1 ed. Singapore:
Springer.

20049054 13
PROFESSIONAL ISSUES, ETHICS, AND COMPUTER LAW CS5052NI

Maniff, R. J. S. a. J. L., 2014. Data Breach Notification Laws. [Online]

Available at: https://www.kansascityfed.org/Economic%20Review/documents/336/2016-
Data%20Breach%20Notification%20Laws.pdf
[Accessed 11 May 2022].

MetaCompliance Marketing Team, 2020. MetaBlog. [Online]

Available at: https://www.metacompliance.com/blog/5-damaging-consequences-of-a-data-
breach/
[Accessed 12 May 2022].

Russell, A., 2017. Techradar.pro. [Online]

Available at: https://www.techradar.com/news/what-is-elasticsearch-and-why-is-it-involved-in-
so-many-data-leaks
[Accessed 11 May 2022].

SelfKey, 2021. SelfKey. [Online]

Available at: https://selfkey.org/data-breaches-in-
2019/#:~:text=The%20data%20breach%20itself%20took%20place%20in%20October,doesn%E
2%80%99t%20appear%20like%20any%20personal%20information%20was%20leaked.
[Accessed 11 May 2022].

Swartz, N., 2006. ProQuest. [Online]

Available at: https://www.proquest.com/openview/7f18b0a37c8de5baea6ed8e6223f7efa/1?pq-
origsite=gscholar&cbl=47365
[Accessed 11 May 2022].

Zacharylmink, 2019. Medum. [Online]

Available at: https://medium.com/@zacharylmink/elasticsearch-and-industrial-big-data-
12f9b0654718
[Accessed 11 May 2022].

20049054 14