Data on 123M US households exposed in latest misconfigured AWS cloud storage case
Data on 123 million U.S. household has been found unsecured and open to the public in the latest and possibly biggest case to date of a company failing to secure data on an Amazon Web Services Inc. storage “bucket.”
Like those before, the discovery was made by UpGuard Inc. security researcher Chris Vickery, who wrote in a blog post today that the exposed cloud-based data repository comes from Alteryx Inc., a California-based analytics firm that specializes in gathering data for marketing purposes. The data included a staggering 248 different data fields for each household in the database revealing “billions of personally identifying details and data points about virtually every American household.”
To make matters worse, some of the data in the database came from other sources, including the U.S. Census Bureau and consumer credit reporting agency Experian Inc.
Although there is no direct evidence that the data was accessed by malicious third parties, Vickery does say that the data sat open to the public for months and that users should presume that it had been accessed. “Simply put, one dummy sign-up for an AWS account, using a freshly created email address, is all that was necessary to gain access to this bucket’s contents,” Vickery wrote.
A spokesperson from Alteryx downplayed the leak. It told Forbes that “specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes.” It also said that the the information in the file poses no risk of identity theft to consumers.
Commenting on the news, Varun Badhwar, co-founder and chief executive officer of RedLock Inc., told SiliconANGLE the case highlights the fact that third-party vendor relationships are an increasing cybersecurity risk. “Data from three different organizations — Alteryx, Experian and the U.S. Census Bureau — was revealed,” Badhwar said. “More companies should demand security audits of their partners, suppliers, and service providers, and implement tools such as continuous cloud infrastructure monitoring to identify misconfigurations and irregularities before they expose consumer and enterprise data.”
Bitglass Inc. CEO Rich Campagna noted that this is one of the largest AWS misconfiguration leaks seen to date and the latest of several mass incidents in 2017. “Cloud app misconfigurations continue to pose a major threat to data security and clearly calls for all organizations to reevaluate their security posture and processes,” Campagna said. “Despite its scale, this data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorized access, and encrypt sensitive data at rest.”
Zohar Alon, co-founder and CEO of Dome9 Security Ltd., was even more explicit, saying that thee sorts of data leaks from simple misconfigurations are “outrageous – and frankly 100 percent avoidable.”
“In an age where organizations are running their entire infrastructure in the cloud, or developing business-critical applications in containers, we’re stuck discussing the implications of not changing the default settings on third-party software week after week,” Alon said. “While Alteryx is the latest victim to mistakenly expose its most sensitive information to the wider internet, it serves as another example of how any number of native and third-party tools could have prevented a very sticky situation.”
Discussing the possibility that the data may have been accessed, JASK’s Director of Security Research, Rod Soto told SiliconANGLE that “there’s a good chance data is the wrong hands” as “malicious actors are using many different tools to discover such buckets, or they are finding information in other sources such as github.com, or by performing other attacks that may get hints or direct clues of the use of AWS buckets.”
Soto advised that “every organization using S3 buckets needs to diligently address three main items in order to secure them: IAM Policies, Bucket Policies and Access Control Lists. The overall purpose of these items is to establish what can be seen publicly, who/what has access to it and what privileges are given to those access resources.”
Image: Megapixel
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU