9 min read

Leaky Buckets: 10 Worst Amazon S3 Breaches

Ericka Chickowski

January 24, 2018

Leaky Buckets: 10 Worst Amazon S3 Breaches

The last year has proved out about security naysayers' warnings about the undisciplined use of cloud architectures. While many organizations work hard to secure data stored on cloud stores, the truth is that there's a lot of work to go. That fact is made abundantly clear by the growing number of incidents caused by extremely poor security hygiene within Amazon Simple Storage Service (S3) storage buckets that are holding very sensitive information.


According to recent statistics, as many as 7% of all S3 servers are completely publicly accessible without any authentication and 35% are unencrypted. And if the incidents of the past six months or so are any indication, these aren't low-value data stores. Here are some of the worst recent leaks caused by poorly configured Amazon S3 resources.

Booz Allen Hamilton

When: May 2017

Data Exposed: Battlefield imagery and administrator credentials to sensitive systems

The Lowdown: The U.S. defense contractor left data publicly accessible through an insecurely configured S3 account containing files related to the National Geospatial-Intelligence Agency (NGA), which handles battlefield satellite and drone imagery. Booz Allen claims the data itself was not connected to classified systems, but included in the data were remote login keys and credentials that could have been used to access more sensitive data.

U.S. Voter Records

When: June 2017

Data Exposed: Personal data about 198 million American voters

The Lowdown: A Republican-party backed big data firm, Deep Root Analytics, put personal information and voter profiling data at risk by storing them on a wide-open S3 server. The treasure trove of information combined publicly accessible voter information with additional market research data to come up with matrices about individual voters as to the likelihood of their voting behavior in coming elections.  

Dow Jones & Co

When: July 2017

Data Exposed: Personally identifiable information for 2.2 million people

The Lowdown: Wall Street Journal parent company Dow Jones & Co exposed personal information about more than 2 million customers through sloppy S3 configuration. In this case, permissions were set to allow anyone with a free AWS account access to a server containing millions of customer account details, as well as another database containing consumer data about millions of people for anti-money laundering regulatory compliance purposes.

WWE

When: July 2017

Data Exposed: Personally identifiable information about over 3 million wrestling fans

The Lowdown: Wrestling fans of the WWE got a smack down when the company leaked information about them, including addresses, birthdates, educational background, ethnicity, earnings and children's age ranges. The database of personal details was found on an S3 servers unprotected by any kind of authentication.

Verizon Wireless

When: July 2017 and September 2017

Data Exposed: Personally identifiable information about 6 million people and sensitive corporate information about IT systems, including login credentials

The Lowdown: Poorly secured S3 systems bit Verizon in the rear not once but two times last year with a pair of high-profile data exposures. The first was a leak of 6 million customer records when an employee of Verizon partner Nice Systems placed log information from customer service calls on a publicly accessible S3 server. Before anyone could give Verizon the benefit of the doubt for the actions of a partner, another S3 incident a few months later hit even closer to home. This time, an engineer within Verizon set up a rogue--and insecure--S3 account that contained a motherlode of proprietary technical information. That included data about the company's middleware, internal communications, production logs, server architecture details and login credentials.

Time Warner Cable

When: September 2017

Data Exposed: Personally identifiable information about 4 million customers, proprietary code, and administrator credentials

The Lowdown: A third-party vendor for Time Warner Cable, now Spectrum Cable, leaked customer information, proprietary code and remote login credentials through poor S3 configuration practices. The screw-up came at the hands of technology provider BroadSoft, which exposed the data through two S3 buckets configured to be open to the public.

Pentagon Exposures

When: 3 leaks found in September and November

Data Exposed: Terabytes of information from spying archive, resume for intelligence positions--including security clearance and operations history,  credentials and metadata from an intra-agency intelligence sharing platform.

The Lowdown: The U.S. Department of Defense (DOD) had an embarassing run of leak announcements last fall that showed a likely systemic disregard for the risk posed by poorly configured Amazon S3 buckets. Among the leaks uncovered was a spying archive that contained over 1.8 billion social media posts scraped for analytics purposes, metadata and private encryption keys used to hash passwords for accessing an intelligence sharing platform used to connect Pentagon systems, and thousands of resumes for job applicants seeking intelligence positions.

Accenture

When: October 2017

Data Exposed: The keys to the kingdom--master access keys for Accenture's account with AWS Key Management system, plaintext customer password databases, and proprietary API data

The Lowdown: Arguably one of the most damaging leaks in 2017 from a business risk standpoint, this doozy of an exposure featured at least four S3 buckets set to public containing a massive amount of mission-critical infrastructure data. Included in the leak were 40,000 passwords stored in plaintext, , architectural information and code for the company's client-facing cloud platform, decryption keys, certificates, API data and administrator login credentials.

National Credit Federation

When: December 2017

Data Exposed: 111GB of detailed financial information--including full credit reports--about 47,000 people

The Lowdown: This credit repair service put the financial lives of tens of thousands of customers at grave risk when it left extremely detailed financial information publicly available on an S3 bucket. The information includes credit card information, bank account details, full credit reports and just about any other detail needed to steal the identity and commit fraud in their name.

Alteryx

When: December 2017

Data Exposed: Personal information about 123 million American households

The Lowdown: This marketing and analytics company, which sells data aggregation and analytics for marketing purposes, put sensitive data at risk for the majority of American households. The database in question contained addresses, phone numbers, mortgage ownership, ethnicity and personal interest information about 123 million households, just 3 million less than all households recorded in the country. All of this was exposed on a publicly accessible S3 storage cache.

 

tags


Author


Ericka Chickowski

An award-winning writer, Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. Chickowski’s perspectives on business and technology have also appeared in dozens of trade and consumer magazines, including Consumers Digest, Entrepreneur, Network Computing and InformationWeek.

View all posts

You might also like

Bookmarks


loader