It has been reported that a contractor working for mobile giant Sprint stored hundreds of thousands of cell phone bills of AT&T, Verizon and T-Mobile subscribers on an unprotected cloud server. The AWS storage bucket had more than 261,300 documents, the vast majority of which were phone bills belonging to cell subscribers dating as far back as 2015. It was not protected with a password, allowing anyone to access the data inside. It’s not known how long the bucket was exposed.
If American consumers knew how careless third parties are with their data, they would – or should – be shocked and angry.
Presumably, this is either a sales or marketing contractor, hired to switch-sell customers from competitors, or a reseller working on cross-selling campaigns. A reseller would have access to multiple telcos’ subscribers.
The open nature of the database also supports the marketing/sales angle, giving a wide number of sales reps ready access to the data. Presumably, someone just assumed that no one would know about the data.
Perhaps this incident explains why no-one answers their cellphones in America – it is still open season on cellphone customers, and not just from spammers.
We’ve seen this same pattern of carelessness over and over.
Far too many people with access to sensitive data can far too easily upload it to AWS or other cloud services, without ensuring basic security.
Organizations need to establish much stronger controls on who can set up and access cloud storage. The bar also needs to be much higher for the cloud providers. AWS and others like to wash their hands of responsibility for customer data saying they have a “shared security model.” But they need to at least provide security by default to reduce the chance of careless errors.
We’re already seeing an enterprise backlash against cloud providers, with many businesses moving sensitive data and apps back on-premise. If AWS and others don’t step up, this trend away from the cloud will accelerate.
It’s not that AWS or any other cloud service provider (CSP) isn’t secure, it’s what people with good intentions fail to do when putting sensitive data in the cloud.
They fail to remember (or simply do not know) that some default configurations at CSPs do not ‘turn on’ effective (or even basic) data security – you have to activate security yourself, or only put data that’s already secured in the cloud. When neither is done, data exposure incidents like this will happen over and over again.
A more effective approach is to think ‘security first’. IT professionals need to answer the question “before I upload or download this data, how will it be secured.” And “nobody will know where it is” or “someone else is responsible for data security are not answers.
Unfortunately, ‘convenience-first’ and ‘customer-first’ approaches often push ‘security-first’ to a lower priority. People with good intentions are typically just trying to get their jobs done and this is sometimes where an accidental insider event occurs.
A data-centric approach towards information security helps reduce incidents like this and puts less of a burden on employees just trying to do their jobs.