Stop us if you’ve heard this before: Sensitive data was left publicly exposed on an Amazon Web Services S3 storage server owned by a billion-dollar corporation.
This time the offender is Verizon Wireless who left data including server logs and internal credentials exposed, according to Kromtech Security Research Center.
“Although no customers data are involved in this data leak, we were able to see files and data named ‘VZ Confidential’ and ‘Verizon Confidential’, some of which contained usernames, passwords and these credentials could have easily allowed access to other parts of Verizon’s internal network and infrastructure,” Bob Diachenko, a Kromtech executive, explained in a statement. “Another folder contained 129 Outlook messages with internal communications within Verizon Wireless domain, again, with production logs, server architecture description, passwords and login credentials.”
The leak, first reported by ZDNet, is the latest in a long march of 2017 exposures highlighting just how easy it is for enterprises to leave sensitive data open in the cloud. Earlier this week, it was Viacom leaving master keys exposed. Earlier this year, researchers found 200 million registered voters’ data exposed on a public server and 60,000 Pentagon files exposed on a mistakenly public Booz Allen Hamilton server.
“An improperly configured S3 can lead to viewing, uploading, modifying, or deleting S3 objects by third parties,” Alex Kernishniuk, vice president at Kromtech, said. “To prevent S3 data loss or exposure and unexpected charges on your AWS bill, you need to grant access only to trusted entities by implementing the appropriate access policies recommended in this conformity rule. Bruteforce tools are already scanning all possible bucket names, analyzing configurations letter by letter and getting closer to your information every minute.”
The problem goes even deeper: about 175,000 misconfigured cloud software and services were spotted this year alone by the cybersecurity nonprofit GDI Foundation.
“Given the high number of incidents involving exposed S3 buckets that we have seen in the past few months, it is baffling that every organization is not carefully looking into the configurations and exposure levels of their storage in the cloud,” Zohar Alon, CEO at the cybersecurity firm Dome9, said. “Protecting data in the cloud from accidental exposure and theft is a business priority.”
Amazon launched a product last month called Macie designed to alert users to misconfigurations and security risks.
“Companies need to be held highly accountable for their lack of security on the public cloud,” Alon said. “The public cloud needs a united front on security with regular configuration checks and balances – where public cloud providers, third party tools with advanced features, and a governing body all work together in order to ensure corporate and consumer data stays safe and out of the reach of hackers.”
Verizon did not respond to a request for comment.