Open database exposes 425 GB of financial companies’ data (Includes interview)

Researchers at vpnMentor have shared news about a recent data leak which exposed 425 GB in sensitive financial documents. The research team, led by Noam Rotem, uncovered an open database on an app developed by Advantage Capital Funding and Argus Capital Funding.

The app, which is now no longer available for download, stored data on an AWS S3 bucket database which apparently did not employ any form of encryptions, authentication, or access credentials. The consequence was that over 500,000 documents were left vulnerable on the unprotected server and included credit reports, bank statements, contracts, legal documents, driver’s license copies, purchase orders and receipts, tax returns, Social Security information and transaction reports.

Anurag Kahol, CTO, Bitglass, tells Digital Journal just how vulnerable cloud systems can be, if they are not properly configured: “According to Verizon, misconfiguration of cloud platforms accounted for 21 percent of breaches caused by errors. Cloud security is a shared responsibility between the cloud service provider and the organization. However, it is still the company’s responsibility that use services like AWS to ensure that data storage buckets are configured correctly and are properly secured. Personally identifiable information (PII) should never be accessible by unauthorized parties as this kind of information can enable identity theft and targeted spear-phishing campaigns.”

With the specific issue, Kahol describes: “This leak of 425 GB of company and client data could have been avoided by using data-centric security tools that ensure proper configuration of cloud services, deny unauthorized access, enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage.”

In terms of general advice, Kahol concludes: “Companies must deploy security solutions that provide the breadth and depth of capabilities needed in order to maintain complete visibility and control over data in the cloud.”