Leaving data in a publicly accessible location, where it can be found by anyone looking, is not exactly the textbook definition of a sophisticated data breach. Yet time and again, security researchers report on alleged “breaches” of data by organizations and their partners that has been left in the cloud in an openly accessible manner.
The latest such breach victim is telecom giant Verizon, which inadvertently exposed information about 6 million customers that was publicly posted on a cloud server by its partner NICE Systems. The Verizon data leak was discovered by researchers working with UpGuard’s CyberRisk Team and was publicly disclosed on July 12.
According to UpGuard, it first disclosed to Verizon that the cloud data was exposed on June 13, with Verizon finally securing the data on June 22.
“The data repository, an Amazon Web Services S3 bucket administered by a NICE Systems engineer based at their Ra’anana, Israel headquarters, appears to have been created to log customer call data for unknown purposes,” UpGuard wrote in its disclosure. “Verizon, the nation’s largest wireless carrier, uses NICE Systems technology in its back-office and call center operations.”
UpGuard security researcher Chris Vickery is credited with the initial discovery of the data, which was found on an Amazon Web Services (AWS) cloud S3 storage instance. According to UpGuard, the S3 data repository enabled public access and the database was fully accessible simply by entering the correct S3 web address.
Verizon reportedly told CNN that no loss or theft of customer information occurred as a result of the database being publicly accessible on S3.
Verizon is not the first firm to leave data exposed on a cloud server. In June, Vickery reported that voter information from the Republican National Committee was left publicly exposed by its partner Deep Root Analytics. Earlier this month, it was revealed that wrestling entertainment firm WWE left information on millions of its fans open and exposed on a public AWS S3 instance as well.
Simply put, if data is left on the internet, be it on a standard hosted server or in the cloud at AWS or otherwise, it can and will be found.
A decade ago, security researchers used a common attack approach known as “Google Hacking,” in which simply entering specific search queries would yield results that led to unsecured data that the search engine had indexed. In the cloud era, a new generation of security researchers has used different tools, including the popular Shodan search engine, to find information that has not been secured or configured properly.
Properly securing data in the cloud isn’t all that different from securing data anywhere else. It starts with limiting access in some manner only to those services or authorized persons that need access. Using the cloud to store data isn’t different from storing data anywhere else, and those that use S3 and other such services would be wise to remember that fact. There is no obscurity in the cloud, or the modern internet; if data is not secured with access control, encryption or authentication challenges, data will be found one way or another.
Leaving a database open without any access control or authentication checks is not a data breach or a leak; it’s just plain and simple negligence.