Financial giant Dow Jones & Company has inadvertently leaked the sensitive personal and financial details of millions of the company’s customers.
The UpGuard Cyber Risk Team found that a cloud-based file repository owned by the publishing firm had been configured to allow semi-public access to least 2.2 million customers as confirmed by Dow Jones; however, UpGuard conservatively estimates that the number may be as high as four million, per analysis of the size and composition of the repository.
The exposed data includes the names, addresses, account information, email addresses and last four digits of credit card numbers of millions of subscribers to Dow Jones publications like The Wall Street Journal and Barron's. Also exposed were the details of 1.6 million entries in a suite of databases known as Dow Jones Risk and Compliance, a set of subscription-only corporate intelligence programs used largely by financial institutions for compliance with anti-money laundering regulations.
The discovery was made May 30, and the database was secured June 6—since then, Dow Jones had made little effort to notify affected users other than an article in the Journal covering the leak on July 16, more than a month after the remediation.
“The data exposed in this cloud leak could be exploited by malicious actors employing a number of attack vectors already known to have been successful in the past,” said UpGuard researcher Dan O’Sullivan, in a post. “The aversion of Dow Jones and Company to notifying affected customers of this data exposure denies consumers the ability to swiftly act to protect their own personal information.”
He added, “With a list of 4 million subscribers to Dow Jones publications, it is not hard to see how malicious actors could deploy phishing messages against exposed customers. Sending official-looking emails purporting to be from The Wall Street Journal notifying customers their subscription had lapsed, or that their accounts had been compromised, malicious actors could have succeeded in convincing such high-value targets to supply credit card information, login credentials or more.”
UpGuard said that the exposed data repository, an Amazon Web Services S3 bucket, had been configured via permission settings to allow any AWS “Authenticated Users” to download the data via the repository’s URL. Per Amazon’s own definition, an “authenticated user” is “any user that has an Amazon AWS account,” a base that already numbers over a million users; registration for such an account is free.
“The revelation of this cloud leak speaks to the sustained danger of process error as a cause of data insecurity, with improper security settings allowing the leakage of the sensitive information,” O’Sullivan said.
This is the latest in a series of misconfigurations by companies of Amazon databases that have exposed data. In June, an “unintentional mistake” by contractor Booz Allen Hamilton (BAH) resulted in more than 60,000 US Department of Defense files being left publicly exposed in an Amazon S3 repository.
Brian Vecci, technical evangelist at Varonis, told Infosecurity that researchers and hackers alike are continually canvassing systems like Amazon S3, probing for wide-open buckets with misconfigured access controls.
“The odds are high that they will find a cache of sensitive information because organizations have a staggering amount of dark data, meaning they don’t know who has access, who should have access and when malware or human users are behaving dangerously,” he said. “In a recent study by the Ponemon Institute, 62% percent of end users say they have access to company data they probably shouldn’t see. Also, 38% of organizations surveyed said they don’t monitor file or email activity whatsoever. Too many people have access to too much critical data, and too many companies are blind to what’s going on.”
Complexity compounds the problem, and as data grows and expands to more platforms both in the data center and the cloud it’s becoming easier and more common for IT to make mistakes.
“It’s getting harder and more costly to make sure the data is secure and the result is more and more costly breaches,” Vecci said. “Organizations regularly assess risk, but they can take a big step to ensure they don’t suffer a data breach by conducting a data risk assessment. Many focus, perhaps too much, on penetration and vulnerability testing. They’re testing the strength of their outer walls while remaining blind to the risk to their data."