A Washington internet service provider is the latest company found to have exposed confidential data via a misconfigured Amazon Web Services instance, or virtual server. But in a serious twist to a common tale, the data was far more than simple customer details.

The company in question is called PocketiNet Communications Inc. and UpGuard Inc. found 73 gigabtyes of exposed data hosted on AWS S3 storage “bucket.” The data included plain text passwords and AWS secret keys for PocketiNet employees, internal network diagramming, configuration details and inventory lists, and photographs of Pocket iNet equipment, including routers, cabling, and towers.”

Adding insult to injury, the company itself was also using default logins for services, with most of the accounts detailed named “root” or “admin.”

“The malicious potential should these credentials fall into the hands of a bad actor is extremely high, creating risk for the entire PocketiNet network infrastructure,” UpGuard noted. “Exposing files like this offers up the keys to the kingdom, but in truth, such files should not exist in any form.”

UpGuard said it took over a week for PocketiNet to secure the data, and only after UpGuard sent multiple emails and called the company.

Rich Campagna, senior vice president of product management at Bitglass Inc., told SiliconANGLE that PocketiNet’s AWS misconfiguration is yet another example of how a simple, overlooked problem can expose massive amounts of information, harming individuals and organizations alike.

“It seems that leaving servers unsecured has become one of the most common security issues and, consequently, one of the most widely targeted vulnerabilities in the enterprise,” Campagna explained. “Unfortunately, organizations of all sizes, especially smaller ISPs like PocketiNet, have limited IT resources in terms of security tools and personnel, making them susceptible to misconfigurations. Despite this, there are tools that can help address this issue.”

As a result, he added, “organizations must adopt solutions that can continuously monitor networks for misconfigurations, enforce data loss prevention policies in real time, and provide user and entity behavior analytics. For organizations to succeed, it is imperative that they implement flexible, robust, cost-effective security solutions.”

PocketiNet in the latest in a never-ending list of companies exposing data via misconfigured AWS instances, a recent example being GoDaddy Inc. in August.

Image: PocketiNet