It has been reported that Jamaica just experienced a massive data breach that exposed the immigration and COVID-19 records of hundreds of thousands of people who visited the island over the past year.
According to TechCrunch, the Jamaican government contractor Amber Group left a storage server on Amazon Web Services (AWS) unprotected and without a password. This will enable anyone to access the data which consisted of 70,000 COVID lab results, 425,000 immigration records, 250,000 quarantine orders, and 440,000 images of traveler’s signatures.
<p>This breach illustrates how sensitive data and resources can be exposed unintentionally. Deploying zero trust security principles, such as least privileged user access, multi-factor authentication, and policy enforcement, could have prevented this sensitive data exfiltration. It is becoming more imperative that organizations educate their staffs about proper security precautions and implement security best practices to limit exposure such as this.</p>
<div class=\"gmail_attr\" dir=\"ltr\">Another day brings news of another unsecured database, this time from a contractor working for the Jamaican government. The database is part of an application built to track the COVID testing results of visitors to the Caribbean island nation. Like most software, this application was probably built as quickly as possible with functionality being its only goal. We will stop seeing these kinds of headlines only when development teams include security at every phase of development.</div> <div class=\"gmail_attr\" dir=\"ltr\"> </div> <div> <p>In this case, about ten minutes of threat modeling during the application’s design would have made obvious the danger of leaving the database exposed. Requiring authentication would have added perhaps an hour or two to the development cycle. Like brushing your teeth or eating your vegetables, security needs to be a consistent habit with application development teams. For development teams, security is a habit that produces long-term positive results. Travelers whose information has been exposed are advised to be wary of unsolicited emails or telephone calls that have might include information such as passport numbers and other personal details.</p> </div>
<p>This breach continues to demonstrate that while you can outsource your security, you cannot outsource risk. It doesn’t matter if a third party is to blame for a security breach, the reality is that the data that your users have entrusted you with has been compromised. Organizations must adopt a culture of security that includes carefully vetting the processes and procedures of vendors and contractors who have access to sensitive data and systems.</p>
<p>At first glance, it seems an almost classical mistake of a misconfigured system that should not have been accessible over the Internet. Unfortunately, this data leak from the Jamaican immigration office is something we see all too frequently. A cloud service that is brought up for probably all the right reasons, but security is completely forgotten in the process. As public clouds become so easy and cost-effective to spin up, mistakes are easily made with shadow IT and by those without cloud security knowledge. Before connecting any system to the internet, ask yourself the questions: what are we putting in the cloud, and are the data sensitive? Then make sure your security team knows about it and make use of cloud security posture management (CSPM) tools as a baseline to harden your cloud services.</p>
<p>The unfortunate data breach in Jamaica exposing immigration and COVID-19 records underscores the need to think through your data protection strategy very carefully. We can easily overlook or simply forget—given the convenience of cloud-based services—that data protection isn’t necessarily a given which is built into the service or configured and handled by somebody else.</p> <p> </p> <p>The right mindset to have is this: if a breach or other incident occurs exposing sensitive data which you are processing or storing, then you (not the cloud service provider) are responsible for all the many negative repercussions. If nothing else focuses your attention on protecting your cloud-based data, this realization should. The fallout can be devastating for any organization or enterprise.</p> <p> </p> <p>What’s the solution? Put serious and proactive effort into exploring data protection methods that accompany your data rather than protects borders around it, because finding clearly defined borders in the cloud is incredibly difficult. Data-centric protection such as tokenization or format-preserving encryption can help avoid situations like this one.</p>