Dow Jones risk screening watchlist exposed on misconfigured AWS server
Another day, another data exposure on a misconfigured Amazon Web Services Inc. server instance. The latest one, however, involved an especially high-profile company: Dow Jones & Co.
A list maintained by Dow Jones, owned by News Corp. since 2007, was found by security researcher Bob Diachenko and announced Wednesday. He found an exposed Dow Jones database on an AWS Elasticsearch instance.
The data included personal details relating to what Diachenko identifies as “government officials, politicians and people of political influence in every country” as well as their relatives, close associates and the companies to which they’re linked. The watchlist is used by banks and other financial institutions to flag customers who might be a risk for bribery or corruption.
Dow Jones confirmed the breach but said in a statement that “at this time our review suggests this resulted from an authorized third party’s misconfiguration of an AWS server, and the data is no longer available.”
Chris DeRamus, chief technology officer of DivvyCloud Corp. told SiliconANGLE that this security lapse adds to a growing list of organizations in the new year that have left Elasticsearch servers unprotected, exposing a lot of proprietary data.
“Dow Jones suffered a similar cloud storage misconfiguration two years ago that exposed the information of 2.2 million customers,” he said. “It’s concerning that with this new exposure, Dow Jones clearly did not take proper steps to strengthen its security posture. Organizations must realize the importance of balancing their use of the public cloud, containers, hybrid infrastructure and more with proper security controls.”
Carl Wright, chief commercial officer at AttackIQ Inc., noted that the data breach is particularly egregious both because of the lack of a password and the sensitivity of the data.
“There may be people on the list that are innocent, and the risky individuals are now aware they are on the list and can change their tactics to avoid detection in the future,” Wright said. “Such leaks are often caused by gaps in security programs that can be easily detected and prevented. Organizations must take proactive approaches to protect their data through continuous evaluation of their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses.”
Anurag Kahol, chief technology officer and founder of Bitglass Inc., didn’t hold back either.
“Leaving this information unprotected is both careless and irresponsible – as is failing to address the issue in detail with the public,” Kahol said. “While all organizations need to defend their data, Dow Jones, in particular, must adhere to the highest of security standards. The type of information that they collect, store and share demands it.”
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.