A Rough Few Weeks for Cloud Security: Dow Jones Exposes Millions of Users' Data


UpGuard researcher Chris Vickery recently discovered that as many as 4 million customers' personal and financial information had been mistakenly exposed in an unsecured Amazon S3 bucket.

"The exposed data repository, an Amazon Web Services S3 bucket, had been configured via permission settings to allow any AWS 'Authenticated Users' to download the data via the repository's URL," UpGuard cyber resilience analyst Dan O'Sullivan wrote in a blog post examining the breach. "Per Amazon's own definition, an 'authenticated user' is 'any user that has an Amazon AWS account,' a base that already numbers over a million users; registration for such an account is free."

The names, addresses, account information, email addresses, and last four digits of credit card numbers of millions of subscribers to Dow Jones publications were exposed. While Dow Jones says 2.2 million customers were affected, UpGuard estimates the number at closer to 4 million.

Still, a Dow Jones spokesman told The Hill that the data exposed wasn't sensitive enough to justify notifying customers. "The customer information included basic contact information; it did not include full credit card or account login information that could pose a significant risk for consumes or require notification," the spokesman said.

"The revelation of this cloud leak speaks to the sustained danger of process error as a cause of data insecurity, with improper security settings allowing the leakage of the sensitive information of millions of Dow Jones customers," O'Sullivan added.

Communication and Security

Netskope CEO Sanjay Beri told eSecurity Planet by email that the Dow Jones breach is yet another example of the importance of securing cloud environments. "That doesn't simply mean 'educate your employees' -- that's important, but human error is always going to play an outsized role in data breaches," he said. "It's bound to happen, and someone who 'just forgot' or 'thought it had already been done' simply didn't set security measures up properly."

And when those mistakes happen, it's crucial to ensure that lines of communication are kept open. A recent Kaspersky Lab survey of 5,000 companies worldwide found that 46 percent of incidents in the past year involved an unintentional or unwitting cyber security compromise by employees -- and in 40 percent of cases, the employees involved tried to conceal the incident after it happened, amplifying the damage.

"The problem of hiding incidents should be communicated not only to employees, but also to top management and HR departments," Kaspersky Lab security education program manager Slava Borilin said in a statement. "If employees are hiding incidents, there must be a reason why."

"In some cases, companies introduce strict but unclear policies and put too much pressure on staff, warning them not to do this or that, or they will be held responsible if something goes wrong," Borilin added. "Such policies foster fears, and leave employees with only one option -- to avoid punishment whatever it takes. If your cyber security culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be obvious."

A Series of Cloud Breaches

This is just one of many breaches tied to Amazon S3 within the past few weeks -- UpGuard's Vickery also discovered 14 million Verizon customers' personal information in a publicly accessible Amazon S3 bucket, and Kromtech researchers found more than 3 million WWE fans' personal information in a publicly accessible Amazon S3 bucket.

"It seems like a no-brainer to implement data-centric security tools on any sensitive information that could get out to the public," Bitglass CEO Rich Campagna said by email. "This approach could ensure that cloud services deny unauthorized access, and organizations could take it one step further and encrypt sensitive data at rest."

"Companies like Dow Jones, Verizon and anyone else using the public cloud for their infrastructure can easily enforce policies that require internal teams and third parties to adequately protect any customer data that touches the cloud," Campagna added.

In fact, a recent Clutch survey of 283 U.S. IT professionals found that 56 percent of companies spend more than $100,000 a year on additional cloud security measures. Sixty-four percent of respondents have implemented additional encryption of data as a security measure, 62 percent leverage third-party software or security management, 58 percent conduct on-site inspections and tests, and 54 percent conduct regular audits, either in-house or by a third party.

Notably, 69 percent of respondents feel more comfortable storing data in the cloud, while just 25 percent feel more comfortable storing data on a legacy system.