Fox Data Leak Exposes Employee Details Among 13 Million Documents

The personal details of Fox employees could have been accessed by an easily exposed database containing millions of records, according to a report.

A configuration error meant that a huge trove of nearly 13 million content management records at the network could be accessed in an open and non-password protected database, according to Website Planet, a U.K.-based website consultancy.

Jeremiah Fowler, a security researcher and co-founder of Security Discovery who worked with Website Planet in exposing the mistake which has since been amended, said that "anyone with an internet connection" could have accessed the records.

Fox studios
Cars enter and leave Fox Studios, Tuesday, March 19, 2019, in Los Angeles. The Fox could have been easily accessible by hackers, security experts claim. AP Photo/Chris Pizzello

Information held in the database included internal Fox content and emails, usernames, and internal Fox ID reference numbers for celebrities and guests who have appeared on the channel. The material related to talent was all public domain and contained no private information.

Fowler said that anyone could have gained access to more than 700 internal Fox emails and used them to carry out follow-on phishing attacks. The security expert also noted that cyber-criminals could have also gained access to the database to insert malicious code or identify which areas could be vulnerable to a future cyberattack.

Fowler said it is unclear how long the records were exposed, or if anyone else was able to access the database.

Fowler said that after being made aware of the issue, the Fox Security Team "acted fast and professionally" to close access to the unsecured database.

"Thank you again for sharing your observations. As a follow-up to our email yesterday, we have continued to investigate and we have determined that the database referenced in your email is a development environment not connected to any production environment," Fox Security Team said in a statement to Website Planet.

"The ability to publicly access such database has been addressed. As part of our investigation, we are reviewing logs to determine any anonymous access to the database."

Fowler added that the researchers were not implying that customer or user data was at risk with their exposure.

"We are only highlighting our discovery to raise awareness of the dangers and cyber security vulnerabilities posed by misconfigured databases, publicly exposed internal records, and how that data is stored," he said. "We advise any company or organization that has a data incident that affects any environment that uses real data to consider changing administrative and user credentials."

When reached for comment, a Fox spokesperson said: "We were contacted in October of 2021 by Security Dynamic about what would correctly be characterized as a general company development environment primarily containing an archival snapshot of public video metadata such as program descriptions and talent bios.

"Additionally, there was a list of business email addresses as well as URLs, other IDs and environments that were no longer in use at the time of discovery. This environment did not service any FOX News applications or systems. The database was secured within hours following the receipt of the report from Security Dynamic in accordance with our responsible disclosure policy."

Corrections 4/7/22, 1:10 p.m. ET: This story was updated to correct that it was Fox not Fox News the data belonged to. Also, employees' personally identifiable information [PII] such as their name, address, date of birth and social security were not contained in the leak as previously stated. Further clarification on the kind of data that was available has also been added.