Establishing Digital Trust: Don't Sacrifice Security for Convenience
Despite all the attention that unsecured Amazon S3 buckets have gotten lately as a cause of data leaks, companies continue to leave data exposed online. The two latest major breaches to occur as a result have exposed over 316,000 medical records and several gigabytes of sensitive data belonging to Accenture.
On September 29, Kromtech researchers came across a publicly accessible Amazon S3 bucket containing 316,363 PDF reports listing weekly blood tests for at least 150,000 different patients.
The data appeared to belong to PHM, a company that offers an in-home blood testing program for coumadin patients. The researchers notified the company by email on October 5, and while PHM didn't respond to the email, the bucket was secured on October 6.
The 47.5 GB of data included patient names, addresses, phone numbers and test results. Each PDF document was named after the patient, listing the patient's first and last names and the testing dates. Physicians' names, case management studies, and additional client data were also exposed.
Evident.io CEO Tim Prendergast told eSecurity Planet by email that the PHM breach is a reminder of how damaging a data breach can be. "In the hands of the wrong people, health information can be falsified and erased, and that could lead to life-threatening outcomes," he said.
Separately, on September 17, UpGuard researcher Chris Vickery came across four Amazon S3 buckets belonging to Accenture that were configured for public access. The servers appeared to contain software for the Accenture Cloud Platform, including thousands of login credentials as well as configuration data.
"In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage," UpGuard cyber resilience analyst Dan O'Sullivan wrote in an analysis of the breach.
Netskope CEO Sanjay Beri said by email that companies need to take the necessary precautions to avoid such an easily avoidable data leak. "Misconfigured buckets are often the result of innocent oversights that can otherwise be checked by automation in the form of access control and anomaly detection, as well as continued employee education," he said.
"Cyber vulnerabilities are under the microscope now more than ever, and risk factors are only growing," Beri added. "Organizations are running out of excuses when it comes to vulnerable infrastructure, so let's hope that this latest incident serves as a much-needed wakeup call."
The Breach Epidemic
Other cloud leaks disclosed over the past few months have exposed as many as 4 million Dow Jones customers' data, over 3 million WWE fans' personal information, more than 1.8 million Chicago voters' personal data, and almost 600,000 Alaskan voters' information.
Recent Skyhigh Networks research determined that 7 percent of all Amazon S3 buckets are configured for unrestricted access, and 35 percent are unencrypted.
Still, a recent 2nd Watch survey of more than 1,000 enterprise IT professionals found that 60 percent of respondents have already or will soon move all of their IT infrastructure to the cloud, and 40 percent believe their applications and data are fully protected by their cloud service provider.
"In order to adequately protect their companies and customers, it's critical that IT professionals work closely with their cloud providers and partners to fully understand their cloud security responsibilities, and implement a plan that meets their needs," 2nd Watch co-founder and EVP Jeff Aden said in a statement.