In a vivid reminder of the need to secure data in the cloud, researchers at UpGuard recently came across more than 1.8 million Chicago voters' personal information exposed online in a misconfigured Amazon S3 bucket belonging to voting machine company Election Systems & Software (ES&S).
The publicly downloadable data, which was discovered on August 11 by UpGuard director of strategy Jon Hendren, included voters' names, birthdates, addresses, phone numbers, driver's license numbers and the last four digits of Social Security numbers.
The data was put together by ES&S for the Chicago Board of Election Commissioners prior to the 2016 election. Since Chicago only had 1.5 million active voters in November 2016, the data appears to cover all of Chicago's voters, both active and inactive.
This is part of a larger trend -- other recent breaches linked to misconfigured Amazon servers have exposed 14 million Verizon customers' data, more than 3 million WWE fan's personal information, 4 million Dow Jones customers' personal data, over 60,000 sensitive Pentagon files, and approximately 48,000 Indian citizens' personal data.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"In the case of this breach, as well as others, this data was only exposed because the Amazon S3 bucket in question was configured to allow public access, permitting anyone accessing the repository's URL to download its content," UpGuard cyber resilience analyst Dan O'Sullivan noted in a blog post.
"AWS default settings are built to ensure that only authorized employees are able to access this data," O'Sullivan added. "Should this access configuration be changed, the IT enterprise in question must have processes in place to ensure such exposures are caught and remediated."
In a statement, ES&S said the data was secured the day after it was discovered, soon after UpGuard notified state and local officials. "ES&S also launched a full investigation, with the assistance of a third-party firm, to perform thorough forensic analyses of the AWS server," the company added.
ES&S said the investigation is ongoing, and the company is "in the process of reviewing all procedures and protocols, including those of its vendors, to ensure all data and systems are secure and prevent similar situations from occurring."
Bitglass CEO Rich Campagna told eSecurity Planet by email that breaches like these are often caused by well-meaning employees with excessive privilege and insufficient security oversight. "Organizations must leverage security technology, such as those provided by the public cloud providers, IDaaS providers and CASBs, which provide visibility and control over cloud services like AWS," he said.
"It could also be argued that any of these misconfigurations or accidental uploads could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks," Campagna added.
There is some good news for public cloud users. A recent Alert Logic study of over 3,800 customers found that those running applications on public cloud platforms experienced 405 security incidents over an 18-month period from August 1, 2015 to January 31, 2017, while on-premises customers experienced 51 percent more security incidents (612), hosted private cloud 69 percent more (684), and hybrid cloud 141 percent more (977).
And a recent CITO Research survey of 100 IT professionals, sponsored by Commvault, found that 56 percent of respondents have moved or intend to move all of their processes to the cloud, while 93 percent said they're moving at least some of their processes to the cloud.
The biggest barriers to doing so, respondents said, are the sheer volume of data (68 percent) and the challenge of developing staff skills and/or acquiring talent to support the migration (65 percent).