Credit repair agency exposes private data on misconfigured Amazon cloud instance
Florida-based credit repair agency National Credit Federation is the latest in a growing list of companies and organizations to expose private data online.
This time, cybersecurity company uncovered a huge amount of private data from the company on an unsecured Amazon Web Services S3 instance. Chris Vickery, director of cyber-risk research at UpGuard Inc. Thursday made the discovery, which involved 111 gigabytes of internal customer information that included sensitive personal and financial information for tens of thousands of customers.
The data consisted of customer names, addresses, dates of birth, driver’s licenses and Social Security card images, credit reports from all three major agencies, personalized credit blueprints containing detailed financial histories, and full credit card and bank account numbers.
Perhaps with some irony, at least some of the data publicly exposed by National Credit Federation consisted of private information obtained from Equifax Inc., the credit reporting agency that itself was hacked in September.
The positive news for customers of the company is that Vickery believes that there is nothing to indicate that the data has been accessed by malicious actors. But he added, “National Credit Federation data was left entirely accessible to anybody accessing the repository’s URL, highlighting the vital urgency for enterprises to secure their data and validate their configurations against any such exposures.”
Commenting on a yet another “misconfigured” AWS S3 instance, Varun Badhwar, co-founder and chief executive officer of the cloud threat defense company RedLock Inc., told SiliconANGLE that the case highlights a lack of security overview at the enterprise level.
“Sadly, as organizations and lines of business migrate to public cloud services, IT [information technology] has lost control to some degree,” Badhwar said. “Moreover, IT lacks the tools needed to monitor, detect and report on compliance and security issues, as the nature of securing the cloud is very different than securing on-premise data centers. Enterprises often lack visibility into their cloud environments. Many don’t have a firm grasp as to which workloads are even in the cloud.”
The bottom line, he said, is that “you cannot secure what you cannot see. New approaches to continuous monitoring of cloud environments are enabling businesses to identify misconfigurations and anomalies before they become the cause of national headlines. This strategy will also allow companies to catch threats even as they emerge.”
Badhwar concluded that “we’ve changed the way we adopt technology. It’s time we change the way new technologies are secured.”
The National Credit Federation joins a growing list of companies that have exposed private data by failing to secure their AWS S3 cloud instances. Previous examples include the U.S. Army Intelligence and Security Command, Accenture Plc., Verizon Communications Inc. and the U.S. military contractor TigerSwan.
Photo: epublicist/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU