It has been reported that an open database is the source of a data leak leading to the exposure of 425GB in sensitive documents belonging to financial companies. Security researchers found over 500,000 “highly sensitive” documents, including private legal and financial files, that originated from Advantage and Argus. In total, 425GB was contained in the database at the time of discovery — and files were still actively being uploaded to the bucket as the team conducted their investigation. Entries related to the companies’ businesses, including credit reports, bank statements, contracts, legal documents, driver license copies, purchase orders and receipts, tax returns, Social Security information, and transaction reports.
This is another unfortunate instance of an AWS bucket left open without any security protocols, leaving extremely sensitive legal and financial documents unprotected online — accessible to anyone worldwide. In 2020, businesses are increasingly moving information to the cloud for cost efficiency, increased flexibility, and improved accessibility; however, it is important to understand the gravity of what it means to move this type of information to the cloud and be prepared to use everything at your disposal to protect it.
AWS S3 and other similar types of buckets have become one of the most common vectors of large-scale data compromise in the past two or three years. This means that any companies using this type of technology should already be monitoring it with additional scrutiny. And in general, if you want to store extremely sensitive and confidential data in the cloud — something internet-accessible — you should plan to protect it like it’s Fort Knox. This information is powerful, valuable, and can be used to inflict a lot of personal damage. It isn’t a responsibility companies should take lightly.
No matter where an organization stores their data, real-time monitoring and clear visibility are crucial for rapidly detecting and neutralizing security threats. Had Advantage Capital Funding and Argus Capital Funding leveraged authentication and access controls, security monitoring, detection, intelligence, and response capabilities, over 500,000 private documents would have been safeguarded.
Cloud databases have made it increasingly cost-effective and convenient to store, process, and share, large amounts of data quickly and efficiently. And while cloud infrastructure can be comparatively secure – it does come with different risks. As this incident shows, it is another case of a database which should have been private, left exposed to the open internet.
By doing so, the impact of such breaches is huge. Therefore, it is important that administrators who set up and maintain such databases are adequately trained in how to secure them. Furthermore, organisations should have a security assurance plan in place by which they can validate that systems are set up and secure as they should be.
This is not the first time we have seen the improper use of a cloud service result in a disaster. It becomes a disaster when third parties are able to access documents containing financial data, particularly when such parties do not require any special hacking expertise to do so. It is a well-known fact that Cloud storage solutions are convenient and also cost-effective. However, we must not forget that it is of great importance that every implementation of such services needs to be handled by experts who understand how to configure S3 buckets securely.
If an organisation is struggling to deploy solutions that securely stores sensitive data, they need to involve individuals, professionals or organisations who are specifically trained to configure these services – in this case, S3 buckets – properly. This could also mean training internal teams so that they are able to handle such services in the future. Enlisting consultants to deliver services is not only the most effective response, but it would also be the most responsible thing to do.
If you do not take action to implement data security protocols in public cloud storage resources and ensure that those involved with such activities are well-trained on these matters, issues such as this, could become a reality for your organisation.
We should no longer be seeing these cases in future. This should be a call to everyone storing sensitive data to check on their security protocols and to see if the implementation of their solutions is correctly conducted. I would also urge every organisation to check that they comply with GDPR, CCPA or other Data Privacy standards and guidelines imposed by their country or state. This can already give them an initial overview of the issues at hand. In the case that an organisation is struggling to make sense of it all, make use of service providers and experts that can help you avoid situations like this. It is important to remember that any noncompliance could lead to high monetary fines.