Personal and employment details of thousands of British professionals as well as data stored by several British consulting firms were discovered by security researchers in an unprotected AWS (Amazon Web Services) S3 database that had no protection from unauthorised access whatsoever.
The unprotected AWS database was discovered by security researchers at VpnMentor on 9th December and access to the database was closed after the researchers approached both AWS and CERT-UK after failing to contact the true owners of the database.
It is not known for how long the database was active or left unprotected, but researchers Noam Rotem and Ran Locar found that most of the data stored in it were from 2014-15 and some of the data dated back to 2011.
A detailed analysis of the database revealed that it contained data stored by several British consulting firms such as Dynamic Partners, Eximius Consultants Limited, Garraway Consultants, IQ Consulting, Partners Associates Ltd, and Winchester Ltd. Some of these consulting firms are no longer operating.
The database also contained personal and employment details of thousands of British professionals and the researchers believe that these details were collected and stored by CHS Consulting, a London-based consulting firm. However, whether CHS Consulting owned the database could not be established as the researchers were unable to contact the firm.
Unprotected AWS database stored every possible personal detail of British professionals
Personal and employment details in the database included thousands of passport scans, tax documents, job applications, proofs of address, records of background checks, criminal records, expenses and benefits forms, scanned contracts with signatures, emails, private messages, salary information with details of roles and positions, and tax documents related to HMRC.
That’s not all. The researchers also found a wealth of personal and financial information such as full names, addresses, phone numbers, email addresses, dates of birth, gender, nationalities, salary details, nationalities, and immigration and visa status of thousands of British professionals.
“Companies using the cloud are mostly driven by the desire to achieve certain functionality, not security. Consequently, security is often an afterthought and retrofitted on the cloud application, and not as a core tenant of the adoption. If organisations were adding new technologies to the on-prem environment, they would go through a thorough review and testing to make sure it met their needs and was secure,” says Alan Radford, technical director at One Identity.
“Because the cloud is so easy to adopt (you just subscribe and go) the tendency is to avoid the important security review step, or assume it is the provider’s responsibility. The best practices for maintaining security when moving to the cloud are to treat all cloud infrastructure just like you treat your on-prem environment. Strive to have consistent policies across both. Put as much rigor into your security approach to the cloud as you do to on-prem. Plan for the worst and act accordingly,” he adds.
Sergio Lourerio, Cloud Security Director at Outpost24, says that the solution for low hanging data is to perform continuous data risk assessments before the attackers do. This can be automated and not another big burden for security teams.
“For more sophisticated attacks such as ransomware, the data risk assessments help preventing them as well by not leaving your data storage open and tighten the scope of data that ransomware may access. Today, cloud providers such as AWS, Azure and GCP are launching tools to customers to tackle this issue, which can be complemented by cloud security posture management solutions and cloud workload protection platforms using the terminology by Gartner.”
Multiple instances of firms storing large volumes of data in unprotected servers
The worrying part about data breaches, either due to poor security protocols inplemented by cloud database users or the complete lack of protection around sensitive data, is that these incidents continue to happen at an alarming rate despite the introduction of tough data protection regulations or the imposition of steep fines by regulators.
In February, personal information such as names, dates of birth, and social security numbers of present and former employees of security firm Palo Alto Networks wwere compromised when one of the firm’s third-party vendors inadvertently posted the said data online.
In 2016, cyber security consultancy firm Accenture narrowly avoided a massive data breach after it was revealed that the firm stored bundles of sensitive data containing decryption keys and customer information in four cloud servers without protecting them with passwords.
The unprotected AWS cloud servers were discovered by security research firm UpGuard who found that the servers contained sensitive Accenture data including secret APIs, authentication credentials, certificates, decryption keys, and customer information. All this data (up to 137GB) was publicly downloadable and could be accessed by anyone with web addresses for the four unsecured servers.