It has been reported that the addresses and demographic details of more than 80 million US households are listed on an unsecured database stored in the cloud. The details listed include names, ages and genders as well as income levels and marital status. The researchers have been unable to identify the owner of the database, which is still online and requires no password to access. Some of the information is coded, like gender, marital status and income level. Names, ages and addresses are not coded.
Mystery database with 80M records of US household data found on Microsoft cloud server –>
Security researches have uncovered an exposed database with details of 80 million U.S. households but in a mysterious twist have no idea who it belongs to or wher… https://t.co/BW0Y32kvZd
— Tanat Tonguthaisri (@gastronomy) April 30, 2019
https://twitter.com/Kobotic/status/1123170673306656769
Experts Comments:
Ryan Wilk, Vice President at NuData Security:
“It does not matter where in the world personal data is exposed, cyber criminals will leverage this data globally for building synthetic identities or taking over identities to buy goods and services. The mishandling of data through online databases or via a third party is no longer a valid excuse in the eyes of the public. Many companies are already taking a pro-active stance to secure all data and make security part of their core business practice. As demonstrated in the EU with GDPR, companies will have an important role in best practices when securing data that they are the custodian of, not the owner.”
Tim Erlin, VP at Tripwire:
“Unfortunately, this type of breach is no longer unusual, but it is unusual to not know who owns the exposed data. Until we understand who the owner is, we’re limited to generalisations about this exposure. It’s clear, after so many incidents, that organisations do not have control over access to their data stored in the cloud. It’s not for a lack of tools, but a lack of understanding and implementation of the available tools. If you are storing data in the cloud, you can and should be able to audit the access permissions for that data on a continuous basis.”
John Gunn, CMO at OneSpan:
This is not a goldmine for identity thieves, or even of significant note. It does not contains any payment card information, no social security numbers, no passwords, not even any email addresses. It would have very limited value on the dark web. This is the type of information that countless marketers have been tracking and using for decades and is readily available. Yes, it could help hackers, but there are many other avenues to this type of information and no one should be worried about this, beyond concern for the enerally poor security practices of the owner and whatever else they may not be protecting.
Mounir Hahad, Head at Juniper Threat Labs at Juniper Networks:
It is very unsettling to see so much sensitive data exposed to anyone with a computer and an internet connection. There are several services that continuously scan the internet these days, so it takes very little time for anything unprotected on the internet to be discovered. On a good day, the exposure is detected by a white hat researcher that alerts the owner, but on other days, threat actors do since they have access to the same capabilities as the good guys.
This kind of exposure seems to me the result of a shift to multicloud that is done by people who do not understand what they have embarked on, or who do not have the tools to perform this journey to the cloud safely. Since the data exposed is hosted on a public cloud provider, I can only guess it is the work of some shadow IT, where a group or individual believed the data was safely stored when it wasn’t.
The journey to multicloud is happening and there is no going back. The risks of not properly securing your multicloud environment are very serious though and I strongly recommend every company today engages with partners who understand networking, who understand the cloud and who can provide advice and solutions that will make that transition seamless and secure.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.