Unsecured AWS S3 Servers Lead to Steep Settlement Fee for Dating App Jack’d, Exposed Data for Fortune 100 Companies

Unsecured AWS S3 Servers Lead to Steep Fines for Dating App Jack’d, Exposed Data from Fortune 100 Companies

Jack’d, a chat and dating app that caters to “gay, bisexual, and curious men,” has been hit with a US$240,000 settlement payment and an order to improve security after it failed to secure a leaky Amazon Web Services (AWS) S3 server that contained users’ private photos for over a year. New York Attorney General Leticia James announced the settlement after an investigation found that Online Buddies, Inc., the company behind Jack’d, failed to protect the sensitive photos of potentially 1,900 of the app’s gay, bisexual, and transgender users in New York.

Online Buddies was investigated after reports surfaced in February that the app is leaking sensitive imagery. Oliver Hough, the security researcher who traced the nude photos to the Jack’d app, informed the company of the misconfigured AWS S3 server in February 2018. However, the company was not able to act upon the report.

Aside from exposing nude photographs that have been privately uploaded by the app’s users and have been exclusively shared with others, the unsecure S3 server could have potentially divulged other sensitive information, such as location data, device IDs, OS versions, hashed passwords, and last login dates.

According to a press release issued by the Office of the New York State Attorney General, the dating app has around 7,000 active users in New York alone. Its website states that they have 1.2 million active users in 2,000 cities located in 180 countries. 

Misconfiguration remains a common pitfall for organizations, worryingly so as it is a time-tested way for cybercriminals to get their hands on users’ sensitive data. Like Online Buddies, the Israel-based data management company Attunity has also recently dealt with misconfiguration woes.  

According to research from UpGuard, three AWS S3 servers containing Attunity’s company data, including email correspondences and its employee database, had been left publicly accessible. Aside from Attunity’s own data, the company’s 2,000 customers — including Fortune 100 companies such as Netflix, Ford, and TD Bank — had their business documents, credentials, and communications exposed.

Preventing exposures: How to keep cloud services, customer data secure

As more users and organizations entrust their sensitive information to cloud applications, ensuring their security should be made a priority. Misconfiguration remains to be the root cause behind incidents of leaked data, leading enterprises to face high fines as well as reputational damage.

Companies using AWS can benefit from understanding the shared responsibility model, which outlines the necessary security configuration and management tasks enterprises must do on their end. AWS also lists compliance resources for enterprises, helping them better protect their content, platform, applications, systems, and networks.

Here are a few steps organizations can take to better secure their cloud services and protect sensitive data:

  • Understand your cloud. While added convenience is one of the main advantages of using cloud services, it doesn’t necessarily mean that implementing a cloud workload is a “plug and play” affair.
  • Check and modify credentials and permissions.
  • Regularly audit cloud assets to check for signs of misconfiguration. A common mistake organizations make when it comes to their cloud assets is assuming that a properly configured cloud will always remain so.
  • Implement security measures such as logging and network segmentation. The large number of users accessing the cloud can make managing it difficult.
  • Implementing strict user access minimizes the chance of exposed assets and compromised data.

Organizations that rely on the cloud for a large portion of their databases can look into cloud-centric solutions such as Trend Micro™ Hybrid Cloud Security, which delivers a blend of cross-generational threat defense techniques that have been optimized to protect physical, virtual, and cloud workloads. It also features the Trend Micro™ Deep Security™ platform, the market share leader in server security, protecting millions of physical, virtual, and cloud servers around the world.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Online Privacy