Fortune 100 Companies Data Exposed on AWS When IT Firm Fails to Secure with Passwords

09

September 2019

By: Orhan Yildirim

Among several enterprise customers of an Israeli IT firm whose data was compromised recently were TD Bank, Ford Motor Company and Netflix. Attunity, a company that provides data integration and Big Data Management solutions and promotes among other services an understanding of Industry Best Practices, left three Amazon S3 buckets exposed on the Internet without a password.

The leaky AWS S3 were found on May 13, and secured three days later, after UpGuard, an Australian cybersecurity startup company that helps companies stand up securely configured systems and guard against outages and breaches, discovered the vulnerabilities as part of it’s data breach hunting activities.

The highly sensitive exposed information included backups of employees’ Microsoft OneDrive accounts, email correspondence, system passwords, private keys for production systems, sales and marketing contact information, project specifications, employees’ personal data and more.

Other information included email correspondence between employees at unnamed companies, containing passwords for work accounts or production systems.

Backup files also contained troves of private keys and passwords for companies’ internal networks.

Acquired last May by the Pennsylvania-based software company Qlik, Attunity says on its website that it provides data management services to more than 2,000 enterprises and half the Fortune 500.

As reported on an UpGuard blog post, “A file with a client list found in the repository included a client list with a number of companies commensurate to that description.”

In the same post, UpGuard provided specific examples of exposed information, including Netflix database authentication strings, a TD Bank software upgrade invoice, and a Ford project preparation slide.

Qlik’s statement to the media said “Attunity was notified in-mid May of an issue related to internal company data stored in AWS S3 buckets. Attunity personnel responded quickly to ensure that the data was secured. Following Qlik’s acquisition of Attunity in May, and upon becoming aware of the issue, Qlik applied its security standards and best practices to the Attunity environments, including monitoring by Qlik’s 24×7 security operations center.”

“We are still in the process of conducting a thorough investigation into the issue and have engaged outside security firms to conduct independent security evaluations. We take this matter seriously and are committed to concluding this investigation as soon as possible. At this point in the investigation, indications are that the only external access to data was by the security firm that contacted us,” the statement continued.

“System credentials can be found in a number of places in the Attunity data set and serve as a useful reminder of how that information might be stored in many places across an organization’s digital assets,” UpGuard researchers reported.

This could have been avoided with proper security measures, including password management and especially Privileged Access Management (PAM); these three leaky S3 buckets could have been leveraged by bad actors and the data inside used to attack many of the world’s biggest companies, including one of the most highly respected banks in the world.

UpGuard researchers said this was only scratching the surface in the 1TB sample data they downloaded from the exposed buckets, and suggest the leaky servers likely held much more sensitive data.

Some hard lessons were learned, including the importance of configuring public cloud services and security settings properly – not assuming AWS automatically protects against unauthorized access. Another lesson learned is human error is still one of the biggest factors in causing security vulnerabilities, whether through lack of knowledge, lack of the right security software, or lack of management oversight.

Perhaps the most important lesson in this case was the one Qlik learned; as part of M&A, security due diligence is a must, especially as IT systems and teams are being integrated. While Qlik took immediate action and fixed the password issue three days after UpGuard brought the gaps to their attention, it certainly didn’t help on the reputational front, as large enterprises are increasingly tracking security issues.

Attunity counts among its other large clients Philips, Mercedes Benz, the American Cancer Society, Pfizer, Union Bank, Northrup Grumman, Cardinal Health, IHS Markit and hundreds more.

Attunity and their customers are not alone when it comes to data vulnerabilities when using AWS cloud services. Other reported incidents include:

  • An AWS S3 error exposed GoDaddy configuration data from thousands of servers, UpGuard cyber risk management said.
  • A non-profit organization in Los Angeles County misconfigured an AWS S3 cloud bucket — leaving 3 million records and highly sensitive health information exposed.
  • FedEx customer identification records were discovered on an unsecured Amazon Simple Storage Service (S3) cloud server, Kromtech Security Center reported.
  • Accenture Cloud mission critical intellectual property (IP) was exposed via an Amazon Web Services (AWS) cloud leak.
  • More than 4 million Time Warner Cable customer records were exposed via an AWS cloud leak.
  • World Wrestling Entertainment (WWE) database leak exposed the personal information of more than 3 million users.
  • About 2.2 million Dow Jones subscribers were affected by a data leak that occurred due to a misconfigured AWS cloud account.

The team at Ironsphere recommends that any enterprise and every managed services provider to enterprises always have secure access management software in place, including the protection of privileged accounts, and that corporate policies demand protection across all systems, including those hosted on AWS and other clouds.

While Amazon prides itself on their own privacy and data security policies, practices, and technologies, they also make it clear that customers maintain full control of their content and responsibility for configuring access to AWS services and resources. Amazon provides access, encryption, and logging features (AWS Identity and Access Management, AWS Organizations and AWS CloudTrail) through APIs, making it possible for their customers to configure access control permissions for any services developed or deployed in an AWS environment.

It is especially mission critical for Managed Service Providers like Attunity to ensure their customers’ private information and data are 100% secure, in order to build and maintain trusted relationships. As security is now being reviewed at the board level of large enterprises, most of whom are publicly traded, and as more security audits are being made, enlisting the support of companies like UpGuard to search as “breach hunters” is fundamental to protecting resources, reputations and relationships.

Learn more about Ironsphere’s PAM solution here.

Similar Blogs

Enterprise Risk Appetite Frameworks Should Include PAM

Enterprise Risk Appetite Frameworks Should Include PAM

Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”

read more