AWS S3 Misconfiguration Leaks Personal Info of Nearly 200 Million Voters
Multiple security reports recently revealed the dangers of cloud computing misconfigurations, resulting in vulnerabilities that have again manifested in the real world as personal information about nearly 200 million voters was left exposed on an Amazon Web Services-hosted S3 bucket.
Security firm UpGuard Inc. discovered the data left exposed by Deep Root Analytics, a Republican data firm working for the Republican National Committee (RNC).
"In total, the personal information of potentially near all of America’s 200 million registered voters was exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as 'modeled' voter ethnicities and religions," said UpGuard in a post that was updated yesterday.
Misconfigured cloud-based data stores have resulted in many vulnerabilities and threats, such as the recent spate of ransomware attacks targeting MongoDB databases, Elasticsearch repositories and other sources.
The misconfiguration problem has since been publicized by security firms seeking out such vulnerabilities, and UpGuard security analyst Chris Vickery discovered the exposed voter data while searching for just such open cloud repositories.
Deep Root Analytics' data repository was an AWS S3 bucket, which didn't have any access protection.
"As such, anyone with an Internet connection could have accessed the Republican data operation used to power Donald Trump’s presidential victory, simply by navigating to a six-character Amazon subdomain: 'dra-dw,'" UpGuard said. There was no mention of proof that attackers downloaded any data for nefarious purposes.
The UpGuard report was just the latest in a string of such announcements, including:
The finding by UpGuard resulted in a post about "AWS S3 Bucket Provisioning."
"Amazon’s Simple Storage Service (S3) storage buckets are notorious for being left unlocked to the public, even by some of the world’s largest companies," the post said. "This can result in a massive data breach, if the bucket was holding a corporate database, customer list, or other large collection of sensitive information. And it has. Although the misconfiguration itself, a simple permission, is quite small, its implications can be disastrous."
It took Vickery several days to download some 1.1 TB of data from the unsecured data warehouse, an amount of data equal to 500 hours of video.
"Despite the breadth of this breach, it will doubtlessly be topped in the future -- to a likely far more damaging effect -- if the ethos of cyber resilience across all platforms does not become the common language of all Internet-facing systems," UpGuard said.
David Ramel is an editor and writer for Converge360.