UpGuard researchers yesterday disclosed yet another massive data leak due to a misconfigured Amazon Web Services S3 cloud storage bucket, this time exposing 123 million U.S. households’ personal information from the data analytics company Alteryx, including data from Alteryx partner Experian and the 2010 U.S. Census.
The bucket was configured to allow any Amazon Web Services user to access the data.
“From home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior, the exposed data constitutes a remarkably invasive glimpse into the lives of American consumers,” UpGuard cyber resilience analyst Dan O’Sullivan wrote in an analysis of the breach.
“The continuing concentration of data by a number of large enterprises, now wielding powerful technology of the sort provided by Alteryx, has not been accompanied by greater prudence and process improvement necessary to ensure that the data will remain securely stored,” O’Sullivan added.
Managing the Cloud
Awake Security co-founder and CEO Michael Callahan told eSecurity Planet by email that AWS misconfigurations like these are just one symptom of a larger issue. “Security analysts are so underwater with the barrage of alerts and tasks they receive each day that they don’t have time to go and hunt for misconfigurations like this — even when millions of consumers’ data are at stake,” he said.
A recent Fugue survey of more than 300 IT professionals, conducted by Propeller Insights, found that 42 percent of respondents have no cloud infrastructure governance processes in place, and 28 percent aren’t confident their cloud infrastructure is secure.
And while 41 percent of IT pros say they’re managing multiple cloud-based systems with significant use in product, 68 percent rely on paper-based checklists for infrastructure policies and 62 percent rely on manual reviews of infrastructure change.
Forty-four percent of respondents said they struggle to keep track of all the infrastructure they have running.
A separate Kaspersky Lab survey of 5,274 employees worldwide found that 35 percent of businesses are unsure if some pieces of corporate information are stored on company servers or on those of their cloud providers.
Twenty-four percent of businesses experienced a security incident affecting IT infrastructure hosted by a third party over the past year, and 47 percent of those suffered data loss, leakage or exposure as a result.
The top three types of data exposed as a result of third-party incidents were highly sensitive customer information (49 percent of SMBs, 40 percent of enterprises), basic employee information (35 percent of SMBs, 36 percent of enterprises), and emails and internal communication (31 percent of SMBs, 35 percent of enterprises).
Still, 70 percent of businesses using SaaS and cloud service providers have no plan in place to deal with security incidents affecting those partners.
“Today, businesses are leveraging cloud infrastructures more than ever because of the efficiency and flexibility to the organization, but this digital business transformation is presenting new questions around where data resides and how it’s being secured,” Kaspersky Lab North America senior director of enterprise sales Rob Cataldo said in a statement.
“When making the critical decision of which third-party providers to work with, businesses not only need to reevaluate their own cloud security posture, but they also need to have a discussion with third-party providers about their cyber security policies and treat the relationship as a business risk that needs to be continuously managed,” Cataldo added.