News broke earlier today that nearly 50,000 Australians’ sensitive data was left freely exposed online. The breach occurred due to a misconfigured Amazon S3 bucket, presumably left unsecured by a third-party contractor. IT security experts commented below.
Jason Garbis, VP at Cyxtera Technologies:
“While it’s clear that organisations must institute better access controls to sensitive data, there’s an element of security resiliency that often goes overlooked. This has to do with the implications of user IDs and passwords being breached, and is especially important when there are third-party contractors are involved, as occurred in this recent Australian incident. Organisations need to build in resiliency, so that multiple factors beyond simply a password are required for user access. A “zero trust” model can be obtained by implementing modern security architecture based on the Software-Defined Perimeter (SDP). With SDP, organisations can ensure that users and devices are securely on-boarded and validated before any access is permitted. And, they can easily enforce additional controls, like Geolocation or IP address restrictions and a One-Time Password when situations warrant it. When the security architecture is designed with resiliency in mind, losing user credentials doesn’t need to constitute a major disaster.”
Ian Ashworth, Security Consultant at Synopsys:
“Cloud computing is an increasingly popular way for centralizing storage and data access and often provides a cheaper more elastic and secure platform for enterprises to harness, however their configuration can often be more than simple. Being internet-connected and widely accessible should dictate a greater level of diligence in their setup and tailoring to ensure they appropriately manage accessibility and control. Authentication and correct levels of authorization are two such essential measures for granting user access to the most sensitive of data or services. When especially dealing with PII and payment details additional storage protection measures should be employed providing an overall layered security architecture.”
Lisa Baergen, Director at NuData Security:
“Breaches such as this, with sensitive and highly valuable personal data involved, act as a pipeline for further cyber crime. Those involved should be extra vigilant in keeping an eye out for spearphishing and other targeted cyber crime attempts. Data in the wrong hands can have a huge impact. Email addresses and password information, combined with other data on the consumer from other breaches and social media, builds a more complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Using these real identities, and sometimes fake identities with valid credentials, they’ll take over accounts, apply for loans and much more. Every hack has a snowball effect that far outlasts the initial breach.
“All personal information is valuable to fraudsters. Names, physical and email addresses, passwords, the content of emails – everything that can be used to compile an identity will be used. We must change the current equation of “breach = fraud” by changing how we think about online identity verification. We need to protect all consumer data, but more importantly, we need to make it valueless. Combining two-factor authentication with a passive behavioural biometric solution would render these kind of breaches a thing of the past.”
Jes Breslaw, director of strategy, EMEA at Delphix:
“Time and time again we have seen that even the most basic of personal identifiable information puts people at risk. Names, addresses and contact information all hold money-making potential for opportunistic cyber criminals on the dark web.
“In this instance, it appears a database backup was stored in the cloud, demonstrating a lack of control over data. The scary truth is that most organisations have hundreds or even thousands of copies of databases with little or no knowledge or control where they reside and who has access to them. This is why more and more companies are adopting a DataOps approach assigning dedicated people and tools to manage and secure data across an organisation. A Dynamic Data Platform that embraces the core principles of DataOps enables data operators to know exactly what data is where, to be able to mask (anonymise) data that is not required for production systems, and to ensure that data consumers only have the data they require. ”