Massive data breach caused by unsecured AWS S3 cloud server.
Amazon Web Services hosts database servers for a wide variety of clients, but someone might need to take a look at the instruction manual. Once again, another company’s data has been accessed via an unsecured S3 server, and this one contains information on almost every single household in the US.
UpGuard, whose researchers have been instrumental in rooting out unsecured Amazon S3 servers, has again found another unprotected cache of sensitive data that someone didn’t secure. This time, it’s a California-based data analytics firm who counts credit reporting agency Experian as one of its sources of data.
Big names breached
Experian is one of the top three reporting agencies worldwide, along with TransUnion and Equifax. Equifax suffered its own hacking event back in July, one that exposed the complete personal identifiable information of more than 143 million individuals around the world (most of them in the US, though), as well as payment card information for other affected individuals.
In this incident, the issue is the amount and type of data that companies just like to collect and store, yet don’t have the know-how to protect it. What they want to know has increased exponentially but their security has not.
With great power…
According to researchers from UpGuard, “The continuing concentration of data by a number of large enterprises, now wielding powerful technology of the sort provided by Alteryx, has not been accompanied by greater prudence and process improvement necessary to ensure that the data will remain securely stored. The result has been, in the same way warming waters increase the power of hurricanes, that data exposures such as this are capable of exposing the vast majority of American households to compromise with one error.”
AWS S3 cloud storage
In each of the accidental data leaks involving companies using Amazon Web Services S3 cloud storage, the issue can be traced back to not having password protection on the server. That is a default setting from AWS, so in each instance, someone has stripped away the password protection and left the data exposed to anyone who stumbles along. Fortunately for consumers, UpGuard has been doing all the diligent stumbling and informing those companies, but that does not mean someone nefarious didn’t quietly get there first.