Breaking news has revealed that due to another cloud storage misconfiguration, over 120 million Americans across billions of data points are said to have been affected. The issue is said to have occurred after an Amazon Web Services S3 cloud storage bucket was left exposed and open to the public internet. IT security experts are commented below.
Tim Erlin, VP of Product Management and Strategy at Tripwire:
“If you’re using Amazon S3 storage, or any cloud storage, you need to be monitoring its configuration. There’s no excuse for failing to keep tabs on this particular misconfiguration.
The rash of AWS S3 leaks isn’t the result of malicious attackers. These are misconfigurations that have put sensitive data at risk. Organizations have to manage their configurations securely, whether in traditional infrastructure, or in the cloud.”
Ryan Wilk, Vice President at NuData Security:
“While Alteryx is trying to downplay this slightly negligent breach, in all reality it is very serious and will have long lasting effects, not only on adults, but also on children end the elderly. It is this type of valuable consumer identifiable information that hackers are working endlessly to obtain. Securing data should be a top priority at all companies. The mishandling of data through online databases or via a third party is no longer a valid excuse in the eyes of the public. These are sloppy practices that can be easily remedied by following simple but effective security techniques. Companies need to take a pro-active stance to secure all data and make security part of their core business practice. As we have seen in the EU with GDPR, it is time for companies to take responsibility and use best practices when securing data that they are simply the custodian of, not the true owner.”
Atiq Raza, CEO at Virsec Systems:
“This is the latest example of organizations not applying stringent security to data in the cloud, and then underestimating the potential damage. Private information across multiple fields such as addresses and banking info can easily be correlated with names. While hopefully the data was not breached, it was clearly exposed, unencrypted, and could easily have been accessed by any hacker.”
David Vergara, Head of Global Product Marketing at VASCO Data Security:
“In isolation, this data leak event may not appear to be a big deal. However, the volume and detailed consumer data already available on the dark web makes assembling and validating more complete identities relatively easy using this data. As other experts have noted, it’s ludicrous to believe that this data couldn’t be used by cybercriminals to boost fraud success with higher value targets. All consumers should use some defensive measures to protect their identities, ranging from simple alerts on account activities to security freezes with reporting bureaus. Additionally, good security hygiene means that businesses should quickly move away from weak static passwords, and deploy multi-factor authentication – it is inexpensive and orders of magnitude more secure.”
Rich Campagna, CEO at Bitglass:
“This ConsumerView leak is the latest of several big cloud incidents in 2017 and one of the largest AWS misconfiguration leaks we’ve seen to date. These incidents continue to pose a major threat to data security and call for all organisations to re-evaluate their cloud security posture and processes. Despite its scale, this data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorised access, and encrypt sensitive data at rest.”
Thomas Fischer, Global Security Advocate at Digital Guardian:
“Driven by new computing platforms such as AWS, businesses now face threat vectors that simply would not have existed even a few years ago. The introduction of cloud services has added a whole new level of complexity to security policies and it’s much harder to implement security controls in shared environments such as IaaS. In 2017 alone we’ve seen plenty of evidence of businesses using AWS buckets that don’t understand how to properly secure their cloud data.
This particular incident could likely have been avoided if Experian had properly validated how Alteryx was using and securing the test data. Companies must have policies in place to only share pseudonomised data or ensure all shared data is in an encrypted format.”