Author: Mathew J. Schwartz / Source: Government Info Security
Data Loss , Risk Management
Is there a hole in your Amazon Web Services bucket?
See Also: Spear Phishing, Identity Deception, Ransomware: How to Predict the Future of Crime
Many organizations now rely on these cloud-based buckets, or virtual containers, to store and share data. By default, AWS Simple Storage Service, or S3, containers are not publicly accessible, and access can be tightly restricted. But many organizations inadvertently misconfigure their buckets to allow “public” or semi-public access, which can result in data being exposed.
In recent months, organizations including Verizon, World Wrestling Entertainment, Scottrade and Deep Root Analytics have blamed user error for the contents of their S3 buckets being exposed.
Add to that list Dow Jones, a business and financial news company that owns the Wall Street Journal.
On Sunday, Dow Jones said that about 2.2 million customers’ details were exposed due to an Amazon S3 bucket misconfiguration.
“We were made aware that certain Dow Jones/WSJ subscriber and Risk & Compliance content was over-exposed on Amazon Cloud (not the open internet),” a Dow Jones spokeswoman tells Information Security Media Group. “This was due to an internal error, not a hack or attack.” Exposed details included some customers’ names, email and mailing addresses, and the last four digits of their credit card numbers.
The data exposure was discovered by Chris Vickery, a researcher with the cyber risk team at security vendor UpGuard, on May 31. UpGuard says it notified Dow Jones about the security problem on June 5 and that the bucket appeared to have been secured by the next day.
“We immediately remedied the situation and have no reason to believe that any data was taken,” the Dow Jones spokeswoman says. “The subscriber data included basic contact information; it did not include full credit card numbers or passwords.”
UpGuard “conservatively estimates” that up to 4 million customer details may have been exposed, “though duplicated subscriptions may account for some of the difference,” according to a Monday blog post by Dan O’Sullivan, a security researcher at the firm.
“Among the fields populated with data throughout the text files are customer names, internal Dow Jones customer IDs, home and business addresses, and account details, such as the promotional offer under which a customer signed up for a subscription,” O’Sullivan says. “Perhaps most critical was the inclusion of the last four digits of customer credit cards in the files, as well as customer email addresses also used to login to their accounts online. A small percentage of customers also had their phone numbers exposed in the files.”
Risk & Compliance Data Exposed
Dow Jones says exposed data also included information about individuals and…
Click here to read more
