In a pair of major data breaches disclosed over the past few days, thousands of U.S. veterans’ personal information and more than 4 million Time Warner Cable customers’ data were found on unsecured and publicly accessible cloud servers.
Both breaches should serve as a strong reminder of the importance of optimizing cloud security.
On July 20, UpGuard security researcher Chris Vickery found an Amazon Web Services S3 data storage bucket configured for public access that held resumes and applications for employment at the private security firm TigerSwan.
The applications contained thosands of applicants’ personal information, almost all of them U.S. military veterans. The exposed data includes home addresses, phone numbers, work history and email addresses — as well as, in some cases, security clearances, driver’s license numbers, passport numbers and partial Social Security numbers.
“Most troubling is the presence of resumes from Iraqi and Afghan nationals who cooperated with U.S. forces, contractors, and government agencies in their home countries, and who may be endangered by the disclosure of their personal details,” UpGuard cyber resilience analyst Dan O’Sullivan wrote in a blog post examining the breach.
Blame for the Breach
Vickery notified TigerSwan of the discovery by email on July 21, then followed up by phone on July 22, when TigerSwan claimed to be working with Amazon to secure the data. Still, the files weren’t secured until over a month later, on August 24.
In a statement, TigerSwan attributed the delay to the fact that the data was actually controlled by third-party vendor TalentPen.
In a conversation with UpGuard, TigerSwan said, “we learned that our former recruiting vendor, TalentPen, used a bucket site on Amazon Web Services for the transfer of resumes to our secure server but never deleted them after our login credentials expired.”
“Since we did not control or have access to this site, we were not aware that these documents were still on the Web, much less were publicly facing,” TigerSwan added.
Willy Leichter, vice president of marketing at Virsec Systems, told eSecurity Planet by email that TigerSwan’s response reflects a disturbingly common pattern of blaming breaches on subcontractors. “Regardless of who actually made mistakes, the data controller — the organization entrusted to properly use and protect the data — is always responsible,” he said.
“TigerSwan’s lengthy statement essentially says, ‘We apologize, but it wasn’t our fault,'” Leichtner added. “While the subcontractor may certainly share some blame, TigerSwan is still legally responsible for protecting data entrusted to them.”
User Profile Dump
Separately, Kromtech researchers recently found a pair of publicly accessible Amazon Web Services S3 buckets belonging to BroadSoft, which held thousands of records and reports belonging to several BroadSoft clients, most notably Time Warner Cable (TWC).
“The most potentially damaging discovery was the fact that it contained internal development information such as SQL database dumps, code with access credentials, access logs and more,” Kromtech chief communications officer Bob Diachenko wrote in a blog post. “These are all things that should not be publicly available online.”
One text file named “User Profile Dump, 07-07-2017” held more than 4 million records dating from 11/26/10 to 7/7/17, listing transaction IDs, user names, MAC addresses, serial numbers, account numbers, service, category details and more. “Other databases also have billing addresses, phone numbers, etc., for hundreds of thousands of TWC customers,” Diachenko noted.
“As we continue to see more and more cloud leaks appear, it reminds us that companies large and small must conduct regular audits to secure their data,” Diachenko added. “Misconfiguration of cloud-based storage repositories that allow public or semi-public access can result in a devastating data leak that requires no hacking or password.”
Prevalent diretor of product management Jeff Hill said by email that the BroadSoft breach serves as a reminder that you should never attribute to malice what can be reasonably explained by stupidity.
“Visibility into your vendors’ controls via a comprehensive third party risk management program provides insight into not just the controls and technologies that prevent or mitigate attacks by the bad guys, but also the procedures and policies that are meant to prevent untrained or careless employees acting innocently to inadvertently expose sensitive data in the vendors’ custody,” Hill said.