Written byPatrick Howell O'Neill
Approximately 600 gigabytes of data containing 4 million records that held sensitive information on Time Warner Cable customers were mistakenly available to the public, a security firm discovered in August.
Kromtech Security Center announced on Friday that it found two Amazon Web Services S3 bucket repositories containing private information but lacking a password. The buckets are likely connected to BroadSoft, Inc., an IT infrastructure firm active in 80 countries. The company is reportedly exploring a billion-dollar sale and its stock price is soaring. BroadSoft did not respond to a request for comment.
The publicly available data spans from Nov. 2010 to July 2017. The trove contains access credentials, access logs, usernames, transaction IDs, MAC addresses, serial numbers, account numbers, billing addresses, phone numbers and more. Due to the “massive amount of sensitive information” in the repository, it would “take weeks to fully sort through all the data,” according to Kromtech’s researchers.
“In this case engineers accidentally leaked not only customer and partner data but also internal credentials that criminals could have easily used to monitor or access company’s network and infrastructure,” Bob Diachenko from Kromtech said in a statement.
Time Warner Cable was acquired by Charter Communications in 2016. A Charter spokesperson emphasized that 4 million leaked records did not mean that 4 million unique customers are impacted and that the company did not know how many customers are affected.
“Due to the sheer size of the cache, it was not immediately clear precisely how subscribers were affected,” a Charter spokesperson told CyberScoop. “The leaked data included usernames, emails addresses, MAC addresses, device serial numbers, and financial transaction information—though it does not appear that any Social Security numbers or credit card information was exposed.”
Kromtech reported that, once the leak was shared, a BroadSoft employee denied they owned the repositories and then shortly thereafter promptly closed public access.
“Unfortunately, oftentimes developers like to simplify their life or quickly resolve some technical problems and grant public read access to the buckets,” Kromtech’s Alex Kernishniuk said.
This incident is just the latest in a long line of leaks from problematic AWS S3 buckets including 200 million registered voters exposed from an S3 bucket, 14 million Verizon customers exposed and 60,000 Defense Department files exposed in a Booz Allen Hamilton leak, among others.
The effective securing of data in the cloud is an ongoing challenge where failures — easily spotted both by security researchers and hackers — quickly scale up to enormous-sized leaks.