Dow Jones risk screening watchlist exposed on misconfigured AWS server
Another day, another data exposure on a misconfigured Amazon Web Services Inc. server instance. The latest one, however, involved an especially high-profile company: Dow Jones & Co.
A list maintained by Dow Jones, owned by News Corp. since 2007, was found by security researcher Bob Diachenko and announced Wednesday. He found an exposed Dow Jones database on an AWS Elasticsearch instance.
The data included personal details relating to what Diachenko identifies as “government officials, politicians and people of political influence in every country” as well as their relatives, close associates and the companies to which they’re linked. The watchlist is used by banks and other financial institutions to flag customers who might be a risk for bribery or corruption.
Dow Jones confirmed the breach but said in a statement that “at this time our review suggests this resulted from an authorized third party’s misconfiguration of an AWS server, and the data is no longer available.”
Chris DeRamus, chief technology officer of DivvyCloud Corp. told SiliconANGLE that this security lapse adds to a growing list of organizations in the new year that have left Elasticsearch servers unprotected, exposing a lot of proprietary data.
“Dow Jones suffered a similar cloud storage misconfiguration two years ago that exposed the information of 2.2 million customers,” he said. “It’s concerning that with this new exposure, Dow Jones clearly did not take proper steps to strengthen its security posture. Organizations must realize the importance of balancing their use of the public cloud, containers, hybrid infrastructure and more with proper security controls.”
Carl Wright, chief commercial officer at AttackIQ Inc., noted that the data breach is particularly egregious both because of the lack of a password and the sensitivity of the data.
“There may be people on the list that are innocent, and the risky individuals are now aware they are on the list and can change their tactics to avoid detection in the future,” Wright said. “Such leaks are often caused by gaps in security programs that can be easily detected and prevented. Organizations must take proactive approaches to protect their data through continuous evaluation of their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses.”
Anurag Kahol, chief technology officer and founder of Bitglass Inc., didn’t hold back either.
“Leaving this information unprotected is both careless and irresponsible – as is failing to address the issue in detail with the public,” Kahol said. “While all organizations need to defend their data, Dow Jones, in particular, must adhere to the highest of security standards. The type of information that they collect, store and share demands it.”
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.