Five Cloud Security Breaches That Show Enterprises Still Don't Get It
A series of data breaches caused by shockingly irresponsible data storage practices may indicate that many enterprises are still treating cloud security as an afterthought.
November 1, 2017
![security security](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt27180c01b26c2638/65245e5347802033e119364b/ThinkstockPhotos-security2.jpg?width=700&auto=webp&quality=80&disable=upscale)
Partial credit card numbers were exposed, along with names, home and email addresses, and account information for over 2 million Dow Jones customers when it set permission to download the data to “Authenticated Users” of AWS, eSecurity Planet reports. That includes over a million AWS users, and anyone who registers an account for free.
The home and email addresses, birthdates, and other personal information of more than 3 million accounts was stolen from an unprotected WWE database sitting on an AWS S3 server without password protection, in a breach discovered in July, according to Forbes. Users’ ethnicities and the ages of their children was also included in the plain text database.
After being contracted by the Republic National Committee to identify audiences for political ads, Deep Root Analytics left more than a terabyte of data, according to ITPro, including advanced sentiment analysis, on a cloud server without password protection, leaving it available to anyone who knew or discovered the URL.
UpGuard, the same security company that initially identified the Deep Root Analytics and Dow Jones leaks, informed Verizon in June that the names, phone numbers, and some PIN codes from roughly 6 million of its customers were sitting in public view on an AWS S3 server.
Hackers logged on to the company’s email system as administrators, and grabbed confidential emails containing information about some of its household names company and government agency clients from Deloitte’s Microsoft Azure cloud, the Guardian reports. The breach was only noticed months later.
Hackers logged on to the company’s email system as administrators, and grabbed confidential emails containing information about some of its household names company and government agency clients from Deloitte’s Microsoft Azure cloud, the Guardian reports. The breach was only noticed months later.
A series of data breaches caused by shockingly irresponsible data storage practices may indicate that many enterprises are still treating cloud security as an afterthought.
Misconfigured Amazon Web Services S3 storage is the culprit in several of the recent exposures, but the common element for all is that enterprise customer data was stored without adequate security measures, with either simple username and password protection, or none at all.
“They inherently believe they get all these magical properties of security by moving [to the cloud], and it just doesn’t happen,” said Josh Douglas, chief strategy officer for cyber services at defense, civil government and cybersecurity giant Raytheon.
Big data companies and household corporate names should have processes in place to prevent customer or sensitive corporate data from being left unprotected, and to detect misconfigurations. Additionally, two-factor authentication was not used in any of the five leaks below, and may have prevented each of them.
“It is a basic part of cyber hygiene, and while it might not have prevented the intrusion altogether, it would have at least slowed the attackers and forced them to use more sophisticated methods,” Douglas said.
While the responsibility for protecting data lies with the enterprise and its partners, the apparent lack of sound cloud security practices is an opportunity for service providers and consultants.
Click through the slideshow to see five recent security breaches that could have been prevented.
About the Author(s)
You May Also Like