Security researchers found an unsecured AWS S3 bucket belonging to fitness brand V Shred that exposed the personally identifiable information (PII) of roughly 99,000 prospective customers, current clients, and trainers. Files contained names, home addresses, email addresses, dates of birth, some Social Security numbers, social media accounts details, usernames and passwords, age ranges, genders, and citizenship status, and much more.
Leaving a database publicly accessible without any security barriers in place is one of the most common yet easily preventable causes of data leaks and breaches. In fact, data breaches involving cloud misconfigurations increased by 80% from 2018 to 2019. With the self-service nature of the cloud, users may not be adequately familiar with cloud security settings and best practices, resulting in devastating data leaks, such as this incident involving the exposure of personally identifiable information (PII) belonging to V Shred customers and trainers. Although any evidence of misuse has not been confirmed, the information that was exposed is highly valuable to bad actors, who harvest this kind of data to sell on dark web marketplaces or to launch future attacks against the impacted individuals.
This exposure of customer data highlights why developers and security teams need to work together to proactively identify cloud compliance and security issues before cloud resources are deployed. Organizations should not rely solely on runtime security and instead must “shift left” by taking preventative measures early on in their continuous integration (CI) and continuous delivery (CD) pipelines. This approach will allow organizations to prevent security issues including cloud infrastructure misconfigurations from ever occurring, thereby preventing data breaches and leaks.