UPDATED 22:08 EDT / OCTOBER 17 2019

SECURITY

250,000 resumes exposed in latest case of misconfigured cloud storage

The resumes of more than 250,000 job seekers have been found exposed online by two companies in the U.S. and U.K. in the latest case of publicly exposed cloud storage.

Today’s tale of another Amazon Web Services Inc. cloud misconfiguration comes from U.S. job board Authentic Jobs Inc., with 211,130 curriculum vitae, and U.K. retail and restaurant jobs app SonicJobs App Ltd., with 29,202 CVs. In both cases, the full resumes of job seekers were found exposed and included names, addresses, job histories and phone numbers.

The data exposure was discovered by security researcher Gareth Llewellyn and first reported Wednesday by Sky News in the U.K. Job seekers told the news site that they were concerned about their personally identifiable information being exposed in this way, although there is no evidence that it had been stolen. Both companies set their AWS instances to private when contacted by Sky and both said they were looking into how the misconfiguration took place.

Tim Erlin, vice president of product management and strategy at cybersecurity firm Tripwire Inc., told SiliconANGLE that these misconfigurations are at the heart of millions of disclosed records.

“Any organization using cloud storage must regularly audit the permissions to ensure these kinds of breaches don’t happen,” Erlin said. “When you apply for a job, you share sensitive personal data with the jobs board and the companies to which you’re applying. It’s their responsibility to protect that information from disclosure.”

Stephan Chenette, co-founder and chief technology officer of enterprise security firm AttackIQ Inc., emphasized the risks, saying that unfortunately, it doesn’t take much for cybercriminals to find databases left open to the public.

“There are tools designed to detect misconfigurations within cloud tools like Amazon’s S3,” Chenette pointed out. “Any organization that collects and stores consumer data must make securing that information a priority.”

Llewellyn told Sky News that Amazon should be doing more to secure databases, but Ben Goodman, senior vice president of global business and corporate development at digital identity firm ForgeRock Inc., noted that Amazon has stated that it’s responsible for protecting the infrastructure that run all of the services offered in the AWS cloud, but it’s still up to the organizations using the service to take the necessary measures to secure their own data, such as ensuring that appropriate configurations are set up.

“However, Amazon is constantly innovating in this space and we expect they will partner up with identity access management vendors that complement existing AWS services in an attempt to prevent future security incidents,” he said.

Image: Authentic Jobs

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU