It’s getting to the point where if you blink, you might miss another story about the accidental exposure of sensitive data stored in a public cloud instance.
Case in point: cybersecurity firm UpGuard recently found 36GB of data from the U.S. Census Bureau and consumer credit reporting agency Experian. The data, which was stored by data analytics firm Alteryx, was inadvertently exposed on a Amazon Web Services S3 cloud storage bucket.
Experian has called the incident — which affects 123 million U.S. households — “an Alteryx issue,” even as the credit monitoring firm’s customers were directly impacted.
UpGuard researcher Chris Vickery told CyberScoop that regardless of what organization is storing data, third-party vendor risk should be a point of concern for all involved.
“Third-party vendor risk is a problem for both parties,” Vickery said. “Look at it this way: If you store your valuables in a bank vault, and the bank forgets to close the door, it is not going to be just the bank’s problem when bad guys clean out the safety deposit boxes.”
Finding these exposures has become a prolific source of business for UpGuard. Vickery has found multiple instances this year, starting with an unprotected S3 bucket owned by a political data contractor that housed information on 200 million U.S. voters.
Amazon Web Services has made adjustments as Vickery’s work has garnered attention. The company now displays an “orange button” that alerts users on what servers have been made public or private. They also recently unveiled a tool, known as Macie, to proactively alert customers about stored public data that probably should be private.
“The problem, unfortunately, runs much deeper,” Vickery said.
For UpGuard, it’s very difficult to tell if any unauthorized people accessed the exposed data. Yet, if Vickery can find them with relative ease, malicious actors scanning the same public areas can find — and eventually profit from — that data.
“An orange button is only good if a bucket administrator sees it, knows what it means, or indeed, cares about what it signifies,” Vickery said. “If it is an option to configure buckets to be entirely publicly accessible, a great many users will employ that option, regardless of the sensitivity of the stored data. And in many cases of exposed buckets UpGuard has found, even awareness of how sensitive the data stored in S3 buckets may not be enough; errors in whether a bucket was deleted — or whether a configuration was updated — occurred because they simply fell through the cracks.”
Vickery says short of radical changes to how S3 is designed, he expects to find more exposed buckets in the coming year.
Representatives for Amazon Web Services did not respond to requests for comment.