It has been reported that an unsecured database on Amazon has been discovered, exposing sensitive information and passport scans on thousands of employees. The information, including thousands of passport scans, tax documents, background checks, job applications, expense forms, scanned contracts, emails, and salary details, was stored on an Amazon Web Services (AWS) S3 bucket. The unencrypted database was exposed for an unknown amount of time impacting consultancy firms such as Garraway Consultants, Dynamic Partners, IQ Consulting, Eximius Consultants Limited, Winchester Ltd, Partners Associates Ltd, and others. While many of these firms are no longer in business, the exposed PII still relates to existing people who could be at risk.
Another day, another unsecured AWS bucket, and the data in this one couldn\’t be more sensitive. The files discovered by the researchers include passports, job applications, tax documents, background checks, and scanned contracts. Essentially, every personal detail a criminal could possibly need to conduct identify theft, all left in an unsecure database online. The oldest of the UK information dates back to 2011, which is a very large window for criminals to have found this database and exploited it. Remember, we only hear about open databases in the news when security researchers find them – criminals don\’t advertise that they\’ve come across a treasure trove of information – but you better believe that they\’re out there searching for them.
This is not the fault of Amazon, which has security measures for its AWS storage. In fact, you have to disable the default security measures to leave a database open like this. Data leaks such as this happen because businesses do not have enough awareness or visibility of how their data is actually being stored in the cloud, and it is crucial that this changes. Unfortunately a lack of accountability makes this difficult – Amazon can\’t disclose whose storage this is so we don\’t know what organisation is responsible. However, that is no excuse for businesses to be lax on cloud security. They and their customers will pay the final cost of lost data.
Cloud adoption has enabled many companies to conveniently gather and store large amounts of data. However, just because the cloud provider secures the infrastructure, it doesn\’t mean the data is automatically secured. It still remains the responsibility of the cloud service user to ensure that all data that is collected is properly secured.
With the large number of unsecured AWS S3 buckets exposing millions of records, one would hope that by now, checking to see if a database is publicly accessible would be the first step in a list of assurance activities. Unfortunately, this doesn\’t seem to be the case, and won\’t be until organisations embed security as part of their culture so that each employee recognises its importance and the need to play their part.
It will be interesting to see how the ICO reacts to this particular breach as it contains a great amount of highly sensitive personal data.
Cloud storage solutions are convenient and cost effective. It’s also of great importance to remember that every implementation of such services need to be handled by experts who understand how to configure S3 buckets securely. This is especially true when passport details, salary information and other pieces of sensitive data are being handled. In these scenarios, organizations must follow certain procedures, policies, and regulations (e.g., GDPR). They need to involve individuals who are trained to configure S3 buckets properly—and this could mean training internal resources or bringing on consultants to do so effectively. If you do not take action to implement data security protocols in public cloud storage resources, and ensure that those involved with such activities are well-trained on these matters, issues such as this could become very real for your organization.
What may be most revealing about this sensitive data discovery, is that many of the firms are no longer in business. If one of the people were negatively affected by this data exposure discovery, and they want to hold someone, or some organization responsible, who would that be? Company policies towards sensitive data need to ensure sensitive data is protected at all times, which would minimize data exposure incidents even if a company goes out of business.
Activating encryption on databases with sensitive data certainly does help reduce data exposure incidents or data breaches. However, when the sensitive data is needed for everyday business usage, the databases need to be decrypted. The act of encrypting and decrypting databases in order for the daily business utilization, gives technology professionals a somewhat ‘valid reason’ for leaving sensitive data unencrypted. Adversely, this leads to data exposure incidents (such as this one) which can turn into data breaches.
Technology professionals really need to get out of the habit of leaving sensitive data unprotected. A simple solution would be to tokenize or encrypt the data as soon as the data is received. Notice the reference of ‘the data’ and not ‘the databases’ – there is a difference. Tokenizing or encrypting the actual data itself means that no matter where the data is stored – in a database, in another database in the cloud, on another server elsewhere in the Enterprise – the data is always protected in a way that ‘security travels with the data.’ If the reference was to encrypt the database, then this means that databases are encrypted one at a time, and if one database is left unencrypted, the data is exposed.
In the case of a company going out of business, the data would be protected, so without the exposure incident would have significantly less risk of happening.