The arrival of GDPR looms large in the distance as mistakes such as this put millions at risk.
It has been reported that an improperly secured Dow Jones cloud database has affected at least 2.2 million customers with personal information being exposed.
Information exposed in the breach includes email addresses, names, account information, and the last four digits of credit card numbers of subscribers to publications such as The Wall Street Journal.
The true number of customers affected could be in the region of four million accounts, according to the UpGuard Cyber Risk Team, the company responsible for confirming the breach.
Human error was yet again at the root of this significant security incident, as the cloud file repository had been configured to allow ‘semi-public access’.
The repository was an Amazon Web Services product, the S3 bucket, and the configuration meant it could be accessed and downloaded by any AWS “Authenticated Users”.
Christiaan Beek, lead scientist and principal engineer at McAfee said: “Companies today are battling an increasingly varied threat landscape while managing huge amounts of data. It can be a challenge to keep close track of where this data resides to ensure it is secure – and in this case, one small error in the cloud resulted in a large scale exposure. The reality is that as companies become more focussed on preventing cybercrime, they may be unconsciously shooting themselves in the foot in their efforts to be completely secure.”
With the concept of moving an entire business to the cloud becoming constantly more realistic, this incident may prompt re-evaluation of security measures in place, and raise general debate regarding the security of the cloud.
“Companies need to focus on building a fully integrated security system with automated monitoring in place to ensure that they constantly aware of what is happening on their networks. Finding the right combination of people, process and technology is the key to effectively protecting the organisation’s data, detecting any threats and, when targeted, having the capability to rapidly correct affected systems,” said Beek.
The incoming General Data Protection Regulation (GDPR) that is coming into force in under a year always comes to mind in the instance of such a massive oversight as the one that has results in the exposure of millions of data sets.
Rich Campagna, CEO, Bitglass: “In the last month, we’ve seen three high profile data incidents of this nature: Deep Root Analytics, Verizon Wireless and now Dow Jones. The difficulty with stopping this kind of thing is that it originates from human error, not malice. Just one wrong tick box in the cloud set-up process can put vast amounts of sensitive customer data at risk.
“Organisations must realise that they are responsible for configuring the cloud services they use in a secure manner. For Dow Jones, there are a host of technologies available today that could have quickly, easily and cost effectively ensured appropriate configuration of the cloud service and encrypted the customer data, en route to the cloud. This could have ensured that, in the event of unauthorised access, the data would have been protected.”
AWS is yet to respond to CBR’s request for comment at time of publishing.
AWS told CBR: “Amazon S3 is secure by default. If customers use the default configuration, the bucket locks down access to just the account owner and root administrator. Well over a million customers continue to use Amazon S3 safely and securely.
“A core tenet of AWS since the very start has been to allow builders the flexibility to change our default configurations to suit whatever style of app they’re constructing. Like is the case on premises or anywhere else, when you set a new access control configuration, an application builder needs to ensure that it protects access the way that’s intended. We have a number of services (like AWS CloudTrail to audit access and other operations on AWS resources like Amazon S3 buckets) that help customers audit and consider their configuration changes, and we will continue to add capabilities that give customers additional ways to triple check their customizations.”