Kromtech security researchers recently came across two publicly accessible Amazon S3 buckets containing 3,065,805 World Wresting Entertainment (WWE) fans’ names, email addresses, phone numbers, mailing addresses and demographic information dating back to 2014-2015.
The buckets also held marketing and customer data, as well as spreadsheet containing detailed information on the activity of WWE’s social media accounts.
“Both buckets were secured within a couple of hours after we sent notification messages to the emails of the WWE Corp developers found in the first bucket,” Kromtech chief communication officer Bob Diachenko wrote in a blog post.
“However, no answer or feedback was received as of for how long these data were exposed, how many customers had their info exposed, and how many IP addresses may have accessed the database by now,” Diachenko added.
Database Vulnerability
In a statement provided to Forbes, a WWE spokesperson said, “Although no credit card or password information was included, and therefore not at risk, WWE is investigating a potential vulnerability of a database housed on a third party platform.”
“In today’s data-driven world, large companies store information on third party platforms, and unfortunately have been subject to similar vulnerabilities,” the spokesperson added. “WWE utilizes leading cybersecurity firms to proactively protect our customer data.”
Bitglass product manager Salim Hafid told eSecurity Planet by email that the leak is yet another example of a major organization suffering a lapse in cloud security and data privacy awareness. “Proper configuration and controls that prevent data leakage are critical for platforms like AWS where millions of user records are often stored and readily accessed,” he said.
“As public cloud adoption rises, organizations must have configurations and controls tightly sealed on all fronts — their customer’s sensitive personal data depends on it,” Hafid added.
Proper Configuration
Dome9 co-founder and CEO Zohar Alon said that while Amazon S3 has been a key driver of the cloud computing revolution, many users don’t fully understand how to configure S3 buckets to prevent data exposure. “Storing sensitive data in the cloud without putting in place appropriate systems and practices to manage the security posture is irresponsible and dangerous,” he said.
“A simple misconfiguration or lapse in process can potentially expose private data to the world and put an organization’s reputation at risk,” Alon added. “We are just starting to see the repercussions of this gap now.”
A recent Clutch survey of 283 U.S. IT professionals found that 67 percent of companies plan to increase their cloud computing spend in 2017, and 45 percent see security as a top benefit of using the cloud.
A separate Cohesive Networks survey of more than 100 IT pros found that 60 percent of respondents only “somewhat” trust cloud providers’ security, and 51 percent feel confident in their data security at rest in the cloud.
“To have confidence in the security of data in transit, developers need to protect it from point to point and have reasonable confidence in the tools and protocols they use to secure it,” Cohesive CEO and co-founder Patrick Kerpan said in a statement.
