News has broken that the WWE has suffered a data breach, exposing 3 million wrestling fans’ personal details. IT security experts commented below.
Zohar Alon, Co-Founder and CEO at Dome9:
“S3 is one of the first AWS public cloud services, and has been a key driver of the cloud computing revolution since its introduction in 2006. Yet many users don’t fully understand how to configure S3 buckets to prevent accidental data exposure.”
“Storing sensitive data in the cloud without putting in place appropriate systems and practices to manage the security posture is irresponsible and dangerous. A simple misconfiguration or lapse in process can potentially expose private data to the world and put an organization’s reputation at risk. We are just starting to see the repercussions of this gap now.”
Javvad Malik, Security Advocate at AlienVault:
“This isn’t the first time, and will unfortunately not be the last time a company has misconfigured a cloud service to make them publicly accessible.
The important thing for companies to remember is that using a cloud service comes with a shared security responsibility, it is wrong to hold onto the belief of “secure because Amazon”. Whenever a company, particularly with significant amounts of sensitive data uses the cloud, they should take a full inventory of the data, where it’s hosted, and ensure it is being protected adequately. Then on an ongoing basis, they should monitor to detect threats to ensure no breaches have occurred, or inadvertent changes have been made that expose data publicly.”
Oliver Pinson-Roxburgh, EMEA Director at Alert Logic:
“Securing S3 buckets should be cloud security 101; that and deleting any root API keys opting for least privileges . This also demonstrates that flexibility in the cloud is both a blessing and a curse. You really need to know what you are doing or things can go very wrong very quickly. This also demonstrates why GDPR is so important, as it makes businesses think about where customer data is and whether they have the appropriate controls to protect it. In this case they clearly didn’t.
AWS Identity and Access Management (IAM) policies are very flexible and there is no excuse for not implementing least privileges; it also allows for programmatic access.
Monitoring changes in cloud environments, as well as looking at hardening the cloud and performing continuous scanning of the environment is imperative.
It’s also important to think about what data you have, why you need it and more importantly where is it! Keep your attack surface area lean, monitored and only provide access to those who need it for their role. Applications that need access to data should be scanned continually for vulnerabilities in addition to using the tools provided by the cloud to limit access to just that applications core components.”
Raj Samani, Chief Scientist and Fellow at McAfee:
“Data is currently one of the world’s most valuable commodities and yet every day a data breach, leak or hack is reported. This latest leak is yet another indication that organisations need to wake up to the ever present threat of a breach or attack. As companies collect more and more data, they may be unconsciously shooting themselves in the foot in their efforts to be completely secure.
Organisations often have too many tools operating in silo at once and failing to communicate with each other – making it much harder to realise when systems have been subject to a breach. It is now not unusual for businesses to have over 10 security tools which require constant monitoring, meaning that human error becomes a key factor in the security of our data. Companies need to focus on building a fully integrated security system with automated monitoring in place to ensure that they are always one step ahead. Finding the right combination of people, process and technology is the key to effectively protecting the organisation’s data, detecting any threats and, when targeted, having the capability to rapidly correct affected systems.”
Ryan Wilk, Vice President at NuData Security:
“In less than a month there is news of a third “non-breach ‘breach’” of sensitive user PII data. The unfortunate mishandling of trusted data by Deep Root, data.gov.uk, and now the WWE continues to show that sophisticated hacking is not required to obtain troves of identity data that can be used to create fraudulent identities or access online personas.
“Data in the wrong hands can have a huge impact. Email addresses and password information, combined with other data on the consumer from other breaches and social media, builds a more complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Using these real identities, and sometimes fake identities with valid credentials, they’ll take over accounts, apply for loans and much more. Every hack has a snowball effect that far outlasts the initial breach.
“We have hit a turning point where financial and identity cybercrime has become something that a person with the most basic computer skills can dabble in. Because of this, organisations need to rethink how they protect and identify their users in the digital world. We need to protect all consumer data, but more importantly, we need to make it valueless. Using advanced techniques like Passive Biometrics and Behavioural Analytics gives merchants and FIs a step up on the bad actors looking to monopolise this data. Understanding the user behind the device is key in effect devaluing the stolen identity data to any other person or entity.”
Salim Hafid, Product Manager at Bitglass:
“This WWE fan data leak is yet another major organization’s lapse in cloud security and data privacy awareness. Proper configuration and controls that prevent data leakage are critical for platforms like AWS where millions of user records are often stored and readily accessed. As public cloud adoption rises, organizations must have configurations and controls tightly sealed on all fronts – their customer’s sensitive personal data depends on it.”
Ben Herzberg, Research Group Manager at Imperva:
“This is yet another heavy weight leak (pun intended) where the ease of cloud deployments probably made someone forget the basics. If you put it out there, someone will take it. This is another example of why each deployment operation of data or applications must be bolted in with security mechanisms, and why simply putting something on a cloud platform does not make it secure.”