Another week, another misconfigured AWS S3 bucket as security researchers have discovered a misconfigured AWS S3 bucket exposing sensitive files related to SSL247, a reseller of internet security products. The leaky database exposed the personal information of up to 350,000 customers (150 GB), who made purchases through SSL247 between 2012-2020. The data breach affected customers in South America, the Middle East, North America, Europe, and Africa.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
The cloud itself represents the ultimate 3rd party risk, and minimum viable compliance is proven yet again to be nowhere close enough to minimum viable security. The twist is that the shared responsibility model for the cloud puts 100% the responsibility on the data owner when they are responsible to secure, configure, and control the cloud they are using. This is a classic and preventable case of breakdown – assuming the cloud’s controls are in place or sufficient, and illustrating the weak reliance on checklists and humans to enforce them. So many organizations rely on risk assessments instead of hard, proven controls like encryption and tokenization of data. The former may meet a policy, but only the latter will stop data theft when misconfiguration, attack, or error leaves data exposed.