A proprietary watchlist of 2.4M risky individuals and corporate entities owned by Dow Jones has been exposed, after a third-party company with access left it on an AWS-hosted Elasticsearch database without a password. The indexed, tagged and searchable list includes current and former politicians, citizens with alleged criminal histories and possible terrorist links, and companies under sanctions or convicted of high-profile financial crimes. The exposed records include names, addresses, locations, dates of birth, genders, whether they are deceased or not, and in some cases, photographs.
A watchlist of 2.4MM risky individuals and corporate entities owned by Dow Jones has been exposed, after a company with access to the database left it on a server without a password. #security#breachhttps://t.co/xPPlZNr8HV
“This security lapse from the Dow adds to a growing list of organizations in 2019 that have left Elasticsearch servers unprotected, therefore exposing massive quantities of proprietary data. Dow Jones suffered a similar cloud storage misconfiguration two years ago that exposed the information of 2.2 million customers. It’s concerning that with this new exposure, Dow Jones did not take proper steps to strengthen its security posture. Organizations must realize the importance of balancing their use of the public cloud, containers, hybrid infrastructure and more with proper security controls. Automated cloud security solutions that provide the automation essential to enforce policy, reduce risk, provide governance, impose compliance and increase security across large-scale hybrid cloud infrastructure are a must for the massive stock market index, as well as any major enterprise.”
“This data breach is particularly egregious for both the lack of very basic protection — a password — and the extremely high degree of sensitivity of the data. There may be people on the list that are innocent, and the risky individuals are now aware they are on the list and can change their tactics to avoid detection in the future. Such leaks are often caused by gaps in security programs that can be easily detected and prevented. Organizations must take proactive approaches to protect their data through continuous evaluation of their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses. And as evidenced by this incident, testing must extend to an organization’s third-party partners as well.”
Anurag Kahol, CTO and Founder at Bitglass:
“Dow Jones’ exposed database contained sensitive details on current and former politicians, alleged and convicted criminals, citizens with possible terrorist links, companies facing sanctions, and organizations convicted of high-profile crimes. Leaving this information unprotected is both careless and irresponsible – as is failing to address the issue in detail with the public. While all organizations need to defend their data, Dow Jones, in particular, must adhere to the highest of security standards – the type of information that they collect, store, and share demands it.
Even though AWS provides some native security and compliance functionality, the onus is on the enterprise to secure access to the data that is being stored within the platform. At the most basic level, this requires the use of a password (although this alone is not sufficient for cybersecurity). As more and more organizations move to the cloud, advanced, cloud-specific security controls must be put in place in order to secure data as it travels across third party services, organizations, and devices. One effective solution for accomplishing this involves using a cloud access security broker (CASB) to protect data wherever it goes.
“The lists of politically exposed persons, terrorists and convicted cybercriminals are compiled and curated from a variety of third-party databases. These lists are then used by a variety of companies including Dow Jones, Thomson Reuters (now Refinitiv), and ComplyAdvantage so the actual exposure of 2.4 million records of high-risk individuals and business entities may not be as critical or earth-shattering as other breaches involving less visible end-consumers and where usernames, passwords and other personal information is compromised.
Data breaches such as Equifax, Marriott/Starwood and Quora are far more damaging because this data usually ends up on the dark web where it can be bought and sold and aggregated with other personal information to perpetrate identity theft. Since these watchlists contain the names of politicians (politically exposed persons) and known criminals (sanctions lists) the impact may be less, depending on how much personal data was exposed. That’s not to say that this data won’t creep into the dark web — it probably will — but the impact to the Average Joe will probably be less.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.