A database uploaded to Amazon’s S3 cloud server by Dow Jones and configured to allow semi-public access exposed sensitive data belonging to 2.2 million customers.
The said database belonging to Dow Jones and containing customer data could be accessed by anyone with an Amazon Web Services account.
Cyber security research firm UpGuard has revealed how financial publishing firm Dow Jones, which is also the parent company of The Wall Street Journal, recently uploaded a database containing sensitive customer data to Amazon’s S3 cloud server. The database was recently configured to allow semi-public access and, as the UpGuard Cyber Risk Team found out, could be accessed by anyone with an Amazon Web Services account.
The database contained names, customer IDs, home and business addresses, account details, last four digits of credit card numbers, email addresses and in some cases, phone numbers of millions of Dow Jones subscribers.
Even though Dow Jones has confirmed that 2.2 million customers were exposed, the UpGuard Cyber Risk Team believes the number of affected customers could be as high as 4 million.
‘The revelation of this cloud leak speaks to the sustained danger of process error as a cause of data insecurity, with improper security settings allowing the leakage of the sensitive information of millions of Dow Jones customers. The data exposed in this cloud leak could be exploited by malicious actors employing a number of attack vectors already known to have been successful in the past,’ noted Dan O’Sullivan from UpGuard.
‘The aversion of Dow Jones and Company to notifying affected customers of this data exposure denies consumers the ability to swiftly act to protect their own personal information,’ he added.
Dow Jones has played down the importance of the leaked data, stating that it “did not include full credit card or account login information that could pose a significant risk for consumers or require notification.” A spokesman from Dow Jones added that the database contained only basic contact information and that there was no evidence that the information was taken.
According to UpGuard, the database offered a brilliant opportunity to cyber-criminals to use the available information to send phishing e-mails to customers by posing as The Wall Street Journal or any other publication.
“Sending official-looking emails purporting to be from the Wall Street Journal notifying customers their subscription had lapsed, or that their accounts had been compromised, malicious actors could have succeeded in convincing such high-value targets to supply credit card information, login credentials, or more,” the firm noted.
It added that risky handling of customer data isn’t limited to small-scale and mid-level firms but can also be committed by ‘esteemed, well-known organizations occupying the upper echelons of the financial world’.
‘Enterprises must start regaining control over their IT systems to ensure easily preventable mistakes are caught quickly, or face a costly digital backlash,’ O’Sullivan concluded.
Earlier this month, security firm Kromtech revealed that sensitive details of 3 million WWE fans were exposed after an unsecured database belonging to the WWE Corporation was uploaded to Amazon’s S3 cloud server and could be accessed by anyone ‘who knew the web address to search’.
Kromtech discovered that the database was not protected by any username or password and stored information on WWE fans in plain text. The information included income details, addresses, educational background, ethnicity, email addresses, birthdates, as well as gender and age ranges of children, the latter being optional requirements.
“In the last month, we’ve seen three high profile data incidents of this nature: Deep Root Analytics, Verizon Wireless and now Dow Jones. The difficulty with stopping this kind of thing is that it originates from human error, not malice. Just one wrong tick box in the cloud set-up process can put vast amounts of sensitive customer data at risk,” says Rich Campagna, CEO at Bitglass.
“Organisations must realise that they are responsible for configuring the cloud services they use in a secure manner. For Dow Jones, there are a host of technologies available today that could have quickly, easily and cost effectively ensured appropriate configuration of the cloud service and encrypted the customer data, en route to the cloud. This could have ensured that, in the event of unauthorised access, the data would have been protected,” he added.