A leak of 10,000 records at a Leicestershire care home provider exposed elderly patients’ wishes not to be resuscitated, according to The Register. The leak, which came from an unsecured S3 bucket, also revealed detailed care plans and precisely how much councils paid for individual patients’ care. Rotherwood Care Group, trading as Rotherwood Healthcare, were also caught out by their website privacy policy, which consisted solely of lorem ipsum placeholder text.
If companies aren’t in total control of their data security, problems like this will arise. S3 is one of the oldest services in AWS, and the good news is that it always defaults to secure and private. However, the bad news is that AWS allows people to use it – and notoriously people weaken or even bypass security, sometimes without even being aware.
Cloud misconfiguration can easily occur, so therefore it needs to be double-checked by the people in charge of it. If you are concerned, then simply log into the console and click on S3, before looking for the ‘Public’ tag to see if any data is vulnerable to theft. AWS has taken measures to better educate its customers about proper S3 bucket configurations, but the best protection is a two way street, where users take on some of the responsibility themselves too.