Data Deposit Box Exposes 270K Users’ Private Information – Expert Comments

Researchers yesterday published the discovery of a serious breach in an open Amazon S3 bucket owned by secure cloud storage provider Data Deposit Box.The leak exposed detailed information about 270,000 private files uploaded by customers through the company’s secure cloud storage service. The database also revealed personally identifiable information (PII) of customers, which could have serious consequences for those affected.

Experts Comments

March 27, 2020
Sergio Lourerio
Cloud Security Director
Outpost24
Today, we are still in the early days of cloud infrastructures security and that we are seeing a prevalence of opportunistic, not very sophisticated attacks, such as looking for publicly accessible AWS S3 data buckets. You'd be amazed to see the data you can find there just by simply scanning low hanging data in cloud infrastructures. And it only takes a couple of API calls to do it. With a lot of data being migrated to the cloud for use cases like data mining, and lack of knowledge of security .....Read More
Today, we are still in the early days of cloud infrastructures security and that we are seeing a prevalence of opportunistic, not very sophisticated attacks, such as looking for publicly accessible AWS S3 data buckets. You'd be amazed to see the data you can find there just by simply scanning low hanging data in cloud infrastructures. And it only takes a couple of API calls to do it. With a lot of data being migrated to the cloud for use cases like data mining, and lack of knowledge of security best practices on Azure and AWS it is very simple to get something wrong which unfortunately is the case here.  Read Less
March 27, 2020
Warren Poschman
Senior Solutions Architect
comforte AG
In a regrettable yet avoidable trend, Data Deposit Box is another example of a company that has failed its customers by failing to undertake proper security measures. Surely, heads will roll within their organization, but it's customers that are left with their personal information exposed, resulting in the sting of a privacy violation and the possible lingering pain of identity theft. In this case, data was left unprotected on AWS S3 storage – something that is 100% avoidable since AWS S3.....Read More
In a regrettable yet avoidable trend, Data Deposit Box is another example of a company that has failed its customers by failing to undertake proper security measures. Surely, heads will roll within their organization, but it's customers that are left with their personal information exposed, resulting in the sting of a privacy violation and the possible lingering pain of identity theft. In this case, data was left unprotected on AWS S3 storage – something that is 100% avoidable since AWS S3 resources by default now have “block all public access” set and require an explicit override to enable access. This lack of oversight is also a great example of where data-centric security would have kept data secure despite a failure of administrative due diligence. A data-centric security model using technologies like tokenization allows organizations to protect data that is stored anywhere – on-premise or in the cloud – even if unintentional or unauthorized access occurs. Indeed, if this private information had been tokenized, the information and files in the S3 bucket would have been worthless and indecipherable to an attacker. Enterprises need to step up to the plate and take responsibility for the data that they process by ensuring they both follow basic security guidelines from cloud providers and deploy data-centric security to protect data anywhere and everywhere.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts