Breaking news has revealed that due to another cloud storage misconfiguration, over 120 million Americans across billions of data points are said to have been affected. The issue is said to have occurred after an Amazon Web Services S3 cloud storage bucket was left exposed and open to the public internet. IT security experts are commented below.
Tim Erlin, VP of Product Management and Strategy at Tripwire:
“If you’re using Amazon S3 storage, or any cloud storage, you need to be monitoring its configuration. There’s no excuse for failing to keep tabs on this particular misconfiguration.
The rash of AWS S3 leaks isn’t the result of malicious attackers. These are misconfigurations that have put sensitive data at risk. Organizations have to manage their configurations securely, whether in traditional infrastructure, or in the cloud.”
“While Alteryx is trying to downplay this slightly negligent breach, in all reality it is very serious and will have long lasting effects, not only on adults, but also on children end the elderly. It is this type of valuable consumer identifiable information that hackers are working endlessly to obtain. Securing data should be a top priority at all companies. The mishandling of data through online databases or via a third party is no longer a valid excuse in the eyes of the public. These are sloppy practices that can be easily remedied by following simple but effective security techniques. Companies need to take a pro-active stance to secure all data and make security part of their core business practice. As we have seen in the EU with GDPR, it is time for companies to take responsibility and use best practices when securing data that they are simply the custodian of, not the true owner.”
“This is the latest example of organizations not applying stringent security to data in the cloud, and then underestimating the potential damage. Private information across multiple fields such as addresses and banking info can easily be correlated with names. While hopefully the data was not breached, it was clearly exposed, unencrypted, and could easily have been accessed by any hacker.”
“In isolation, this data leak event may not appear to be a big deal. However, the volume and detailed consumer data already available on the dark web makes assembling and validating more complete identities relatively easy using this data. As other experts have noted, it’s ludicrous to believe that this data couldn’t be used by cybercriminals to boost fraud success with higher value targets. All consumers should use some defensive measures to protect their identities, ranging from simple alerts on account activities to security freezes with reporting bureaus. Additionally, good security hygiene means that businesses should quickly move away from weak static passwords, and deploy multi-factor authentication – it is inexpensive and orders of magnitude more secure.”
Rich Campagna, CEO at Bitglass:
“This ConsumerView leak is the latest of several big cloud incidents in 2017 and one of the largest AWS misconfiguration leaks we’ve seen to date. These incidents continue to pose a major threat to data security and call for all organisations to re-evaluate their cloud security posture and processes. Despite its scale, this data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorised access, and encrypt sensitive data at rest.”
“Driven by new computing platforms such as AWS, businesses now face threat vectors that simply would not have existed even a few years ago. The introduction of cloud services has added a whole new level of complexity to security policies and it’s much harder to implement security controls in shared environments such as IaaS. In 2017 alone we’ve seen plenty of evidence of businesses using AWS buckets that don’t understand how to properly secure their cloud data.
This particular incident could likely have been avoided if Experian had properly validated how Alteryx was using and securing the test data. Companies must have policies in place to only share pseudonomised data or ensure all shared data is in an encrypted format.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.