There have been a number of serious data breaches due to misconfigured servers that leave the information publicly exposed. A medical practice’s database server breached over 40,000 patient and staff records, and was only discovered by a cyber risk firm who was proactively searching the web.
In Q4 2017, Accenture left four of its AWS S3 buckets open to the public and exposed confidential API data, customer information and certificates, 40,000 passwords, secret decryption keys, software for the Accenture Cloud Platform offering and other sensitive data – almost all of which was stored in plain text. A misconfigured backup server exposed the information of an estimated 7,000 Bronx Lebanon Hospital patients.
The Verizon breach was also caused by a misconfigured AWS server where a basic access control setting was not applied to the cloud instance of AWS. Encryption had also not been applied to the storage volume within AWS by the thrid-party vendor who managed the systems.
Should you be worried about this within your own network? How prevelant is this issue?
A white hat hacker on Peerlyst tracking publicly accessible Amazon S3 buckets listed these for Feb 2018:
- Tesla left a console unprotected which had AWS access credentials: http://www.bbc.com/news/technology-43140005
- In a striking illustration of how cyber risk affects even the newest and most novel enterprises, the UpGuard Cyber Risk Team can now disclose that a cloud repository belonging to Octoly, a Paris-based marketing company, was left exposed, revealing a backup of their enterprise IT and sensitive information about thousands of the firm’s registered online personalities.
- FedEx openly exposed an archive of more than 119,000 scanned documents – including passports and drivers licenses – plus customer records.
This shared responsibility and the relationships organizations have with third-party vendors are especially important to keep top of mind as regulators begin passing legislation that imposes specific data privacy requirements for companies, such as the E.U.’s General Data Protection Regulation (GDPR). If a company stores any data on European citizens in the cloud, it should ask 3rd party providers specific questions to help ensure they comply.
The risk is clear. Cloud security is one aspect of your overall cybersecurity that should not be overlooked, and a cybersecurity assessment of the cloud systems could save you from a major exposure.