A Dow Jones list of 2.4 million people considered at risk for bribery and corruption, as well as high-profile criminals and terrorists, sat out in the open on an unsecured online database, a researcher has found.
Experts Comments below:
Warren Poschman, Senior Solution Architect at comforte AG:
“In a regrettable trend, Dow Jones & Co. is yet another example of a company that has failed its customers without taking proper security measures – and twice now. Surely, heads will roll in their IT organization but it’s their customers that are left at risk and bearing the pain of the identity theft and privacy failures. Really, it’s a classic case of a company wanting to invest in the cool technology, in this case, Elasticsearch and AWS S3 buckets, but they’ve not understood the security ramifications of this technology. Organizations need to adopt data security to protect their data, wherever it may exist or whoever may be managing it on their behalf. A data-centric security model allows a company to protect data and use it while it is protected for analytics and data sharing on cloud-based resources. These incidents would have been preventable with such a model – and if a 3rd party or partner has a security lapse, instead of trying to shift blame, Dow Jones would be talking about how it proactively protected its customers from such threats.”
Sergio Loureiro, Director Cloud Solutions at Outpost24:
“This is another case of sensitive data on Elasticsearch clusters being left wide open on the internet, and it happens to be hosted on AWS. We’ve seen this time and time again – companies using Elasticsearch for analytics or big data projects and making careless mistakes in the misconfiguration.
To prevent this scenario, companies must ensure they have the security process and controls in place to assess and be alerted of potential misconfigurations on a continuous basis.”
Kevin Gosschalk, CEO at Arkose Labs:
“The ramifications of this leak are not yet known, because we haven’t seen the harm it may cause other businesses. The concerning trend of large-scale data breaches is how easy it has become for cybercriminals to weaponize the exposed data with automation in credential stuffing attacks – putting millions of people at risk.”
One thing is clear – organizations are not where they need to be when it comes to protecting themselves. In this instance, a compromised database was left on a server without a password, and now 2.4 million confidential profiles with extensive data have been exposed. Companies must discover, track, and monitor their attack surface – and immediately enforce multi-factor authentication to protect against the next attack.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.