Freely subscribe to our NEWSLETTER

Our Security team, led by Anurag Sen, discovered records from over 260,000 users including personally identifiable information (PII) such as both physical and email addresses, phone numbers and sensitive information about distinguishing physical features.

In total, close to 10 million records were leaked, adding up to around 1GB in size.

If referring to server records, it would appear the breach first originated on 31 May 2020 but has since been fixed by the company, following our disclosure.
Who is MyCastingFile.com?

Founded in 2012 by Elizabeth Coulon, Ryan Glorioso and Robert Larriviere, MyCastingFile.com is owned by parent company RLR Innovations LLC, based in New Orleans.

According to RLR, MyCastingFile connects aspiring actors with paid casting jobs commissions by media production companies.

The site allows users to create what it calls “talent profiles” whereby users complete a detailed questionnaire including sensitive personal information including weight, height and ethnicity details.

Crucially, the site also allows children under the age of 18 to use its services, thereby raising the level of required cybersecurity, as well as the potential risks if adequate cybersecurity is not ensured. In its privacy policy, RLR states that its services are reserved for adults only and that all under-18 accounts must be managed by parents, but does confirm that children’s private information is stored on the company’s server alongside adult profiles.

From the data breach, it could have been possible to determine what amount of data belonged to children, although our security team did not carry out a full download or demographic analysis of the available data — first and foremost, for ethical reasons.
What was leaked?

The open Elasticsearch server contained highly detailed records belonging to people applying (or already working) in media production such as films and TV shows.

Number of records leaked: 9,456,433
Number of users affected: 260,000+
Size of breach: 1 gigabyte
Server location: United States (Google Cloud)
Company location: New Orleans, USA

The MyCastingFile leak contained more than 260,000 profiles, including information such as:

Full names
Residential addresses
Email addresses
Phone numbers
Previous work history
Date of birth
Height & Weight
Identifiable features such as hair length/colour
Photographs of some of the users including face and body
Clothing fitting information
Skin colour & ethnicity/race details
GPS coordinates
Users’ vehicle information including model, colour and year of manufacture

What was leaked?

Candidate full profile including image address

The information left exposed by MyCastingFile includes full profiles of over 260,000 users including highly sensitive personal information and access to photographs submitted by users as part of their application and casting process. However, it’s important to note that not all users’ photos were accessible because content was hosted at multiple locations including an Amazon S3 server.

What was leaked?

Possible profile of internal employee with MyCastingFile email address
Data Breach Impact

The leak contained several bits of information that could be weaponized by hackers to commit identity theft and fraud, across various establishments and organisations both private and public.

Leaked email addresses could be targeted by sending alternative personal information obtained from MyCastingFile and falsely presented to look like a legitimate response. The combined collection of data creates an engaging approach for hackers and can lead to click-throughs to unsecured websites, malware downloads and virus intrusions.

Photographs provided by users can be harnessed to conduct scams involving facial recognition such as identity fraud, as well as being used to create multiple illegitimate profiles, to carry out what’s known as “catfishing” — the act of luring someone into a relationship by means of a fictional online persona.

User photographs could be potentially compromising, therefore, creating severe anxiety and/or reputational damage for those affected by the breach.

Moreover, availability of sensitive private information such as photographs, videos or even medical information, can all be leveraged by nefarious users to extort and blackmail their targets.

The fact that this breach occurred at a casting agency raises various industry-specific concerns such as famous actors being stalked and people being lured into harmful situations under the pretense of securing a major movie role.
Preventing Data Exposure

How can you prevent your personal information from being exposed in a data leak and ensure that you are not a victim of attacks – cyber or real-world – if it is leaked?

Be cautious of what information you give out and to whom
Check that the website you are on is secure (look for https and/or a closed lock)
Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.)
Create secure passwords by combining letters, numbers, and symbols
Do not click links in emails unless you are sure that the sender is legitimately who they represent themselves to be
Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust
Avoid using credit card information and typing out passwords over unsecured Wi-Fi networks
Find out more about what constitutes cybercrime, the best tips to prevent phishing attacks, and how to avoid ransomware