A year that saw major data breaches, including some notable ones from companies like Uber and Equifax, just saw another breach that will likely rank as among 2017’s most notable incidents.
In what seems to be a familiar theme, online marketing firm and data analytics company Alteryx left information on more than 120 million US households exposed on the internet—a number that encompasses just about every US citizen. The incident was caused by a misconfigured Amazon Web Services (AWS) S3 Bucket that exposed the 36GB worth of data to the public. The data consists of 248 categories, including specific information such mortgage and consumer demographics in addition to addresses and contact details.
The data was discovered after security professional Chris Vickery came upon the repository after doing a routine search of AWS buckets. The data sets are actually owned by a company called Experian, an Equifax competitor, as part of the ConsumerView database, which it sells to companies such as Alteryx. As of the time of publication, Alteryx has already secured the bucket and removed the file.
While actual names were not included in the database, the data in the leak is comprehensive enough to be combined with other information sources to retrieve names.
As mentioned earlier, exposed data due to misconfigured cloud storage services are neither new, nor uncommon. In fact, some of 2017's most notable data breaches were caused by this issue. It would be wrong to place the blame on web services such as Amazon, as these kinds of services will typically have public access turned off by default. However, due to the nature of cloud storage, many organizations will typically have their own custom tools and settings that will need to be configured correctly with security as a top priority. This is even more important for companies that handle large amounts of personal and sensitive data, as the compromise of these kinds of information can place millions of people at risk.
These issues point back to the shared responsibility model for cloud services. Securing data stored in the cloud is not something that the service provider or the company employing the service can accomplish alone. While the provider can ensure that their servers and tools are secure, the company should also create a highly secure environment for their stored data, which includes the proper configuration of their storage infrastructure. This means implementing access policies, ensuring proper encryption, and the overall configuration of the cloud service to fit the needs of both the organization and their customers. Proper implementation of the shared responsibility model can minimize data breach incidents due to misconfigured web services.