Security researcher finds trove of customer information on Amazon S3 hosted server.
Experts and advocates like those at the Identity Theft Resource Center have been tracking record-setting numbers of data breaches year after year for over a decade. They’ve been at the forefront of recording these events, through the Target data breach on Black Friday 2013, the Home Depot breach shortly after, the VTech breach that stole children’s photos and addresses, the Office of Personnel Management Breach that stole more than 21 million complete identities for government employees and family members, the Ashley Madison breach that unearthed a whole world of hurt on some cheating spouses, the Yahoo breach that exposed more than one billion email logins, and more.
In all that time, experts have identified different methods of attack, recognized that some occur as the result of intentional “inside job” perpetrators, and even acknowledged that some data breaches are purely accidental, such as a lost or stolen laptop containing unencrypted databases. Now, a new victim of a data breach wants to send a different message, one that doesn’t acknowledge a breach at all.
Millions of details
Security researcher Chris Vickery discovered a trove customer information on an Amazon S3 hosted server belonging to Dow Jones & Co. Between two million and four million customers’ info was available as a text file, including their names, customer ID numbers, email addresses, last four digits of their credit card on file, and more. While it wasn’t available for the entire internet to enjoy, anyone with Amazon web hosting authentication could access it due to a lack of security setting.
When is a data breach not a data breach?
Dow Jones’ response is to point out that this is not a data breach, but a data “overexposure”, due to the fact that no unauthorized access or activity has been discovered yet (well, except for the researcher who found it, accessed it, and was kind enough to point it out). That might be enough to convince some states’ attorneys general that a notification trigger hasn’t occurred, although the customers themselves might disagree.