US casting site leaks personal data belonging to 260,000+ actors
July 2020 by Jim Wilson, SafetyDetectives.com
Prominent US online casting agency MyCastingFile.com has leaked a significant volume of private data belonging to more than 260,000 users.
The company behind the site claims to have recruited talent for productions such as NCIS: New Orleans, True Detective, Pitch Perfect and the last instalment of the Terminator series, Terminator Genisys.
Our Security team, led by Anurag Sen, discovered records from over 260,000 users including personally identifiable information (PII) such as both physical and email addresses, phone numbers and sensitive information about distinguishing physical features.
In total, close to 10 million records were leaked, adding up to around 1GB in size.
If referring to server records, it would appear the breach first originated on 31 May 2020 but has since been fixed by the company, following our disclosure. Who is MyCastingFile.com?
Founded in 2012 by Elizabeth Coulon, Ryan Glorioso and Robert Larriviere, MyCastingFile.com is owned by parent company RLR Innovations LLC, based in New Orleans.
According to RLR, MyCastingFile connects aspiring actors with paid casting jobs commissions by media production companies.
The site allows users to create what it calls “talent profiles” whereby users complete a detailed questionnaire including sensitive personal information including weight, height and ethnicity details.
From the data breach, it could have been possible to determine what amount of data belonged to children, although our security team did not carry out a full download or demographic analysis of the available data — first and foremost, for ethical reasons. What was leaked?
The open Elasticsearch server contained highly detailed records belonging to people applying (or already working) in media production such as films and TV shows.
Number of records leaked: 9,456,433
Number of users affected: 260,000+
Size of breach: 1 gigabyte
Server location: United States (Google Cloud)
Company location: New Orleans, USA
The MyCastingFile leak contained more than 260,000 profiles, including information such as:
Previous work history
Date of birth
Height & Weight
Identifiable features such as hair length/colour
Photographs of some of the users including face and body
Clothing fitting information
Skin colour & ethnicity/race details
Users’ vehicle information including model, colour and year of manufacture
What was leaked?
Candidate full profile including image address
The information left exposed by MyCastingFile includes full profiles of over 260,000 users including highly sensitive personal information and access to photographs submitted by users as part of their application and casting process. However, it’s important to note that not all users’ photos were accessible because content was hosted at multiple locations including an Amazon S3 server.
What was leaked?
Possible profile of internal employee with MyCastingFile email address Data Breach Impact
The leak contained several bits of information that could be weaponized by hackers to commit identity theft and fraud, across various establishments and organisations both private and public.
Leaked email addresses could be targeted by sending alternative personal information obtained from MyCastingFile and falsely presented to look like a legitimate response. The combined collection of data creates an engaging approach for hackers and can lead to click-throughs to unsecured websites, malware downloads and virus intrusions.
Photographs provided by users can be harnessed to conduct scams involving facial recognition such as identity fraud, as well as being used to create multiple illegitimate profiles, to carry out what’s known as “catfishing” — the act of luring someone into a relationship by means of a fictional online persona.
User photographs could be potentially compromising, therefore, creating severe anxiety and/or reputational damage for those affected by the breach.
Moreover, availability of sensitive private information such as photographs, videos or even medical information, can all be leveraged by nefarious users to extort and blackmail their targets.
The fact that this breach occurred at a casting agency raises various industry-specific concerns such as famous actors being stalked and people being lured into harmful situations under the pretense of securing a major movie role. Preventing Data Exposure
How can you prevent your personal information from being exposed in a data leak and ensure that you are not a victim of attacks – cyber or real-world – if it is leaked?
Be cautious of what information you give out and to whom
Check that the website you are on is secure (look for https and/or a closed lock)
Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.)
Create secure passwords by combining letters, numbers, and symbols
Do not click links in emails unless you are sure that the sender is legitimately who they represent themselves to be
Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust
Avoid using credit card information and typing out passwords over unsecured Wi-Fi networks
Find out more about what constitutes cybercrime, the best tips to prevent phishing attacks, and how to avoid ransomware