Following the news that Walmart Partner Exposed Personal Data Of 1.3 Million US And Canadian Shoppers due to an AWS misconfiguration. IT security experts commented below.
Manoj Asnani, VP of Product Management & Design at Balbix:
“There are many issues with the breach notification of a Walmart partner, Limogés Jewelry, whether or not the database was misconfigured so that it was public facing, the fact that the type of PII – including passwords – was stored in plain text is concerning and an issue that should have been surfaced in any compliance audit conducted on the organization. While it’s not acceptable in this day and age to have information made publicly available and viewable to the rest of the internet, it’s a challenge that nearly every organizations has fallen victim to at some point. One of many reasons this happens is because they are not coming from a mindset where they’re proactively thinking, ‘where am I most likely to get breached?’ and crafting their security approach based on that. Visibility seems to be an issue for everyone except attackers and that is something that must change immediately if we are going to see any change in the number of exposures over the next 5-10 years. It will be interesting to see if there will be any ramifications from Walmart’s perspective, given this is a vetted and approved partner of the retail giant.”
Mike Schuricht, VP Product Management at Bitglass:
“Let’s go back a few weeks to when the BuckHacker search engine was unearthed. It’s clear that identifying a very specific vulnerability such as a misconfigured S3 bucket – by way of a plethora of tools readily available to nefarious individuals and researchers alike – is infinitely easier than implementing and continually monitoring an organization’s applications and stack in the public cloud. Given how readily available discovery tools are for attackers, ensuring corporate infrastructure is not open to the public internet should be considered table stakes for enterprise IT. While it’s difficult to keep track of the number of AWS S3-centric disclosures that have happened since 2016, there should be no misunderstanding from the Board down to the technical level, that this is an issue that can impact any organization at any time and that there are steps that can be taken to ensure this type of breach never happens to you.
An effective way to address these threats is to implement a system that provides visibility over cloud data, alerts for high-risk configurations, and automatic, real-time protection mechanisms. Regulated organizations in healthcare and financial services are keenly aware of this challenge and make security a blocking requirement before any new applications can be deployed.”
Zohar Alon, CEO and Co-Founder at Dome9:
“As organizations continue to reap the rewards the public cloud, we continue to see setbacks as a result of basic misconfigurations. Last week it was news of BJC from the healthcare sector, this week the ecommerce sector with Wal-Mart’s jewelry partner. Next week it could be the financial, federal or education sector, but questions organizations need to ask themselves are pretty simple: are you running internal scans more than once or twice a year for public-facing, business-critical databases? Are you 100% certain you’ve changed the default settings on your deployments? And do you have the processes and protocols in place to deal with pertinent notifications and alerts to minimize or mitigate exposures?”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.