It has been reported that Sonic Jobs, a UK retail and restaurant jobs app used by the Marriott and InterContinental hotel chains, has exposed over 29,000 CVs online revealing job-hunters’ names, addresses, phone numbers and career histories to potential cyber criminals. The firm made the settings on their cloud storage buckets public, which meant that when someone applied for a job their CV was available for anyone who knew the location of the bucket to see and download it.
AWS is the biggest public cloud service in the world, and companies around the world are flocking to the cloud for its ease, speed and accessibility in order to operate more effectively, enhance customer experiences and remain competitive. However, often times companies adopt the cloud without the expertise or correct tools in place to ensure security. Even though Amazon S3 buckets are private by default, the self-service nature of the cloud means that users not familiar with security settings and best practices can easily alter configurations, leading to catastrophic data leaks, such as this instance. As showcased by the data leaks from Authentic Jobs and Sonic Jobs, this type of misconfiguration almost always results in exposure of very sensitive, personally identifiable information that directly affects customers. To avoid these misconfigurations and corresponding data breaches, organizations must adopt proper cloud security and compliance strategies at the same time as adopting cloud services. You cannot have one without the other. Platforms that provide automated remediation in real time are most effective in preventing misconfigurations or other security risks, especially given the rapid rate of change in cloud environments.
Unfortunately, it does not take much for cybercriminals to find databases left open to the public and access personally identifiable information. There are tools designed to detect misconfigurations within cloud-tools, like Amazon\’s S3. Authentic Jobs and Sonic Jobs left a total of 250,000 customers’ records vulnerable by leaving the buckets public. Any organization that collects and stores consumer data must make securing that information a priority. Unauthorized exposure of any type of customer data is a serious issue that may impact them well into the future. It’s imperative for companies to continuously evaluate the cybersecurity posture of their IT environments, including cloud databases, and validate their security controls are working as expected and properly preventing, detecting and alerting so your security team can respond in a timely manner to any unauthorized access.
Cloud services such as Amazon\’s AWS S3 buckets make it very easy and cost-effective for companies to store large amounts of data which can be quickly accessed from any location. Unfortunately, not applying the proper permissions can result in the same masses of information being exposed publicly, and by extension to any criminal. CVs, in particular, contain a wealth of personal and private information that can be used for many nefarious purposes to steal their identity or use employment history and details to attack previous employers. Ultimately, a trivial user error caused the issue, so it\’s vitally important that companies foster a strong security culture so that even those who aren\’t directly responsible for security, see the value in it and seek to implement it properly.
This is definitively not the responsibility of AWS, but of Authentic Jobs and Sonic Jobs. There is no excuse for such a misconfiguration, default settings by AWS are good and there are plenty of tools to check for that kind of misconfiguration, such as Cloud Security Posture Management (CSPM) tools (according to the Gartner terminology). Yet another example of enterprises being sloppy with personal data, which they are responsible for!
For potential employees, the goal is getting your resume in front of as many people as possible. And while the dark side of the web isn\’t used by employers, there are many resources and sites that job seekers commonly use to promote their candidacy. What we don\’t know is if these resumes contain personally identifiable information that isn\’t publicly available on sites such as LinkedIn and could be used for compromise. If the answer is yes, this story becomes more serious. If there is more data being exposed, the story will take on a larger life and have more serious implications for job seekers.