Oracle BlueKai: Tracking database data leak

[German]Oracle's subsidiary BlueKai operates a huge database for user tracking via the cloud. Through an unsecured server, the extent of this tracking has now become visible. Millions of user data, partly identifiable as persons, were openly available on the Internet and show how transparent users are now.

Background: BlueKai

BlueKai is a cloud-based platform for large data volumes, and was founded in 2008 by Omar Tawakol, Alexander Hooshmand and Grant Ries as a marketing tech start-up based in Cupertino, California. In 2014, Oracle has invested about $400 million to acquire BlueKai. Since then, BlueKai has enabled companies to personalize online, offline and mobile marketing campaigns.

For this purpose, the company offers data collection services for third parties. BlueKai collects data from PC and smartphone users to improve advertising marketing for its customers. In 2015, BlueKai had approximately 700 million usable profiles.

BlueKai has worked with companies such as Twitter and Facebook to ensure the relevance of the ads that appear to the users of these companies. Other customers and websites that use BlueKai's services include Live.com, Huffingtonpost.com, Walmart.com, Vimeo.com, Microsoft.com and eBay.com..

As a data collection company, BlueKai collects information about users who surf the Web. While BlueKai claims not to collect sensitive financial details, adult material, or health issues, we do not collect information about our users. However, this is not true, and the company has been criticized because users perceive BlueKai's services as an invasion of privacy.

Today this Oracle offering operates under Oracle Data Management Platform (Oracle DMP).  And the company makes no secret of tracking user data through devices to provide advertisers with the most targeted advertising possible. In other words, nothing other than what Facebook or Google and many data collectors do.

The BlueKai data leak

Recently, the US security expert Anurag Sen came across an unprotected database with billions of user data on the net. The database server was incorrectly configured, allowing the data to be viewed without special permissions.

Sen of course shared his findings with Oracle, who took the database offline. But Sen also informed Techcrunch, who reported on the subject here. This suddenly brought the information that the Oracle subsidiary tracks users on a massive scale for advertising networks into the public eye.

I read, that BlueKai tracks significantly less than other providers such as Amazon, Facebook or Google (although Google is currently taking the step of requiring the explicit consent of the user via the Consent Management Platform 2.0). But BlueKai also adds names, addresses, email addresses and other personal information such as payment transactions, which became known through the data leak.

Although BlueKai states that only pseudonymised data is entered into the database – which suggests that the users are not identifiable. But this is probably not the case for the databases viewed by Techchrunch. Very detailed data was stored there. As an example, a German user is cited who uses a prepaid cash card to bet EUR 10 with a sports betting provider in April 2020. BlueKai also stored name, telephone number and address data.

The database also contains transactions such as cancelled newsletters. There the security researchers were able to see that a user was particularly interested in electronic devices. She iPhone was outdated in terms of iOS and would have needed an update.

Data protection issues

The whole issue naturally raises a number of data protection issues. This data should never have been collected in this way without the user's consent. The data leakage as a result of an incorrectly configured server is a data protection incident that must be reported. It is unclear whether Oracle or its subsidiary has reported this incident to the Californian authorities (COPPA)  as well as the European data protection authorities in accordance with GDPR within 72 hours.

This entry was posted in Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *