News

Yet Another Misconfigured Amazon S3 Bucket Exposes Dow Jones Customer Data

• By David Ramel
• 07/19/2017

Security firm UpGuard Inc. has found yet another unprotected S3 storage bucket on the Amazon Web Services Inc. (AWS) cloud, this one exposing personal data of millions of Dow Jones & Company customers.

The firm has been steadily identifying and publicizing such exposed data stores to highlight the dangers of misconfiguration practices that don't properly secure stored data with encryption, tighter access and so on.

While some S3 buckets have been found to be wide-open, the Dow Jones repository allowed semi-public access.

"The configuration of cloud-based storage by enterprises to allow public or semi-public access is by now an all-too-common story, a move that needlessly exposes sensitive customer data to the risk of exploitation," UpGuard said in a blog post this week. "The threat of such misuse is all too real, and indeed, has grown endemic, with a burgeoning cyber underworld in which malicious actors are able to swiftly take advantage of such user lapses for their own benefit."

UpGuard last week reported an exposed S3 bucket leaked Verizon customer data, and in June reported that an S3 misconfiguration leaked personal information about nearly 200 million U.S. voters.

The case also adds to the growing list of cloud-based security vulnerabilities being reported by various companies. For examples:

• Appthority recently found nearly 43 TB of enterprise data was exposed on cloud back-ends, including personally identifiable information (see "Firm Finds Terabytes of Unsecured Data, Personal Info on Cloud Back-Ends").
• In May, RedLock Inc. published a research report finding many security issues primarily caused by user misconfigurations on public cloud platforms, with AWS figuring prominently (see "Security Firm: No Encryption on 82 Percent of Public Cloud Databases").
• In April, an analysis of AWS cloud usage by Threat Stack Inc. revealed widespread critical AWS security misconfigurations affecting nearly three-quarters of more than 200 surveyed organizations (see "Security Analysis Shows Widespread Critical AWS Misconfigurations").

The AWS storage misconfiguration problem has become so pervasive that AWS has reportedly begun e-mailing customers maintaining S3 buckets to warn them of the danger.

According to iTnews, the e-mail states:

"We're writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow access from any user on the internet.

While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.

We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don't intend.

That warning and advice is added to the plethora of similar guidance on the AWS Web site, such as:

• Protecting Data in Amazon S3
• Managing Access Permissions to Your Amazon S3 Resources
• IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources)
• How to Restrict Amazon S3 Bucket Access to a Specific IAM Role
• Protecting Data Using Encryption
• Getting Started: Follow Security Best Practices as You Configure Your AWS Resources

In the latest Dow Jones leak -- which was discovered in late May and soon patched up -- the data was available to anyone with AWS "Authenticated User" status, a free registration which UpGuard said more than 1 million users have. The data included names, addresses, account information and more data on at least 2.2 million customers.

"The revelation of this cloud leak speaks to the sustained danger of process error as a cause of data insecurity, with improper security settings allowing the leakage of the sensitive information of millions of Dow Jones customers," UpGuard said. "The data exposed in this cloud leak could be exploited by malicious actors employing a number of attack vectors already known to have been successful in the past. Finally, the aversion of Dow Jones and Company to notifying affected customers of this data exposure denies consumers the ability to swiftly act to protect their own personal information."