Tens of Thousands of Full Credit Histories Exposed in Amazon S3 Bucket

Despite Amazon’s recent launch of its GuardDuty threat detection service, the trend of major cloud breaches continues: UpGuard researchers recently came across 111 GB of sensitive customer information from the Florida-based credit repair service National Credit Federation (NCF), being stored in an Amazon Web Services S3 bucket configured for public access.

The exposed data would be a treasure trove for any cybercriminal. Forty-seven thousand files, largely PDFs and text documents, held customer names, addresses, birthdates, credit reports from all three major agencies, detailed financial histories, full credit card and bank account numbers, and images of driver’s licenses and Social Security cards.

“The personal documents submitted by customers to NCF are expansive and highly sensitive; their exposure left tens of thousands of individuals entirely compromised against the threats of identity theft and financial attack,” UpGuard cyber resilience analyst Dan O’Sullivan wrote in an analysis of the breach.

“In order to ensure that the pandemic of cloud leaks and data exposures of this kind is arrested, enterprises must become serious about investing time and resources into full visibility and control of their systems,” O’Sullivan added.

Lack of Visibility

Enterprises are certainly aware of the problem. A recent Ixia survey of more than 350 IT professionals at companies with over 1,000 employees found that more than 90 percent of respondents are concerned about data and application security in the public cloud.

“As cloud adoption grows, concerns are shifting from migration topics to security and data visibility topics in the cloud environment,” Ixia chief marketing officer Jeff Harris said in a statement.

Almost 60 percent of respondents said public cloud environments make it more difficult to maintain visibility into data traffic — fully 88 percent said they’ve experienced a business-related issue due to a lack of visibility into public cloud data traffic.

Respondents’ top three priorities regarding the public cloud are securing data and applications, satisfying compliance requirements, and increasing cloud expertise.

SMB Security

Smaller companies, though, don’t seems to be taking the threat as seriously.

Sixty-two percent of small businesses that store customer credit card and banking information in the cloud don’t follow industry regulations regarding data security, a recent Clutch survey of 300 IT decision makers at U.S. small businesses with 500 or fewer employees found.

Still, 90 percent of respondents rated their current cloud storage as “very” or “somewhat” secure.

To protect data in the cloud, 60 percent of respondents use encryption, 58 percent leverage employee training, 53 percent use two-factor authentication, 44 percent maintain an in-house cloud storage use policy, and just 31 percent follow industry regulations.

“Small businesses remain confident in cloud storage security,” the report states. “Yet small businesses cannot let that confidence stop them from implementing additional security measures and following industry regulations. Additional security measures such as encryption, employee training and two-factor authentication protect data in cloud storage against security breaches and employee error.”

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles