Who is to blame? Unsecured Amazon Web Services S3 bucket held passport scans and other sensitive personal data, but the culprit has yet to be identified
The passport details of thousands of British citizens has been compromised in the latest breach of data on Amazon’s cloud service, but the culprit responsible has yet to be identified.
The Amazon Web Services (AWS) S3 data store, a so called “bucket”, was misconfigured and hence unprotected (AWS buckets are secured by default), a fact uncovered by vpnMentor security researchers Noam Rotem and Ran Locar.
The bucket contained personal data from several British consulting firms and their HR departments. Information included passport scans, job applications, and tax documents, all of which are highly sensitive.
According to the researchers, the data came from Dynamic Partners (closed in 2019); Eximius Consultants Ltd, Garraway Consultants (closed in 2014), IQ Consulting, Partners Associates Ltd (closed in 2018), and Winchester Ltd (closed in 2018).
Most of the exposed data came from 2014-2015, but some files go back as far as 2011, the researchers warned.
Typical information found included 1,000s of passport scans; tax documents; job applications; proofs of address; extensive background checks; criminal records; expenses and benefits forms; paperwork related business taxes and HMRC; scanned contracts with signatures; salary information for a range of roles and positions; emails and private messages; and much more.
This treasure trove of data revealed for example full names, addresses, phone numbers, email addresses, dates of birth, salary details, and company financial records to name but a few.
“While the owner of the database was not initially clear, it was labeled ‘CHS’ noted the researchers. “We traced this back to CHS Consulting, a London-based consulting firm. However, as the company has no website, we cannot confirm their ownership of the database.”
“In the meantime, we also contacted AWS directly and CERT-UK, the country’s Computer Emergency Response Team – responsible for monitoring and handling data security in the UK,” they wrote. “By December 19th, the breach had been closed and the database secured.”
This is not the first time that sensitive data has been discovered misconfigured (and hence unprotected) on the Amazon cloud.
In 2017 for example, researchers found a AWS bucket of the US military that contained “critical data” belonging to the US army.
That data is deemed to be so sensitive that it is not even allowed to shared with allies of the United States, but it was found on virtual image of hard disk left on an AWS server, all without password protection.
The discovery of another exposed AWS bucket triggered a great number of responses from security experts.
“The recent compromise of British passport data stands as hard proof that data breaches do not have to be intentional to be damaging,” said Max Heinemeyer, director of threat hunting at Darktrace.
“In a climate of post-Brexit divisions, a compromise of this kind could be particularly calamitous,” said Heinemeyer. “With passport data at their fingertips, scammers could seize the opportunity to launch follow-up attacks around Brexit, using the credentials to craft hyper-realistic phishing emails under the disguise of concerns surrounding citizenship.”
“All the configurations required to keep cloud, SaaS, BYOD, and OT systems up to date are overwhelming and outpacing security teams,” said Heinemeyer. “Now more than ever, it’s crucial that we turn to AI to do the heavy lifting for us.”
Another expert also noted the especially sensitive nature of the data that has been exposed.
“Another day, another unsecured AWS bucket, and the data in this one couldn’t be more sensitive,” noted Richard Walters, CTO of Censornet. “The files discovered by the researchers include passports, job applications, tax documents, background checks, and scanned contracts. Essentially, every personal detail a criminal could possibly need to conduct identify theft, all left in an unsecure database online.”
“Remember, we only hear about open databases in the news when security researchers find them – criminals don’t advertise that they’ve come across a treasure trove of information – but you better believe that they’re out there searching for them,” said Walters.
“This is not the fault of Amazon, which has security measures for its AWS storage,” said Walters. “In fact, you have to disable the default security measures to leave a database open like this. Data leaks such as this happen because businesses do not have enough awareness or visibility of how their data is actually being stored in the cloud, and it is crucial that this changes. Unfortunately a lack of accountability makes this difficult – Amazon can’t disclose whose storage this is so we don’t know what organisation is responsible.”
Another expert agreed about the need to correctly configure cloud databases.
“The risk associated with incorrectly configured cloud resources have been highlighted many times by many people,” explained Peter Draper, technical director, EMEA at Gurucul. “The content of the database appears to have more information than most reported unsecured databases and contains a wealth of information which bad actors could use for fraud and identity theft.”
“Please – if you run any services in the cloud, have your teams double and triple check that they are secured correctly,” said Draper.
Another expert noted that this could be one of the first really notable data breach incidents so far in 2020.
“Given the sensitive nature of the information exposed in this leak, if this database had been discovered by criminal hackers, the security and privacy consequences for those whose data had been exposed could be great,” said Robert Ramsden Board, VP EMEA at Securonix.
“This may be one of the first data incidents of 2020, but it follows a very similar pattern to numerous data leaks in 2019,” said Ramsden Board. “Practising basic cyber hygiene is a must for all organisations, particularly those that are trusted with our most sensitive data, and in 2020 those that fail to secure their databases should be held accountable.”
Meanwhile another expert warned people associated with the named consultancies to take additional precautions.
“Anyone with an association to the consultancy firm whose data was left exposed on the encrypted database should take preventive measures to avoid falling victim of a scam, such as being weary of emails coming from unknown senders and avoiding to click on links and attachments they don’t recognise,” explained Corin Imai, senior security advisor at DomainTools.
“In turn, organisations that store data in the cloud should make sure they understand their role in securing it: cloud providers are responsible for the security of the cloud, but customers are still in charge of securing what they choose to store in it,” said Imai.
And finally another expert warned that this type of data expose in the cloud is unfortunately not an uncommon occurance.
“Today, we are still in the early days of cloud infrastructures security and what we are seeing a prevalence of opportunistic, not very sophisticated attacks, such as looking for publicly accessible AWS S3 data buckets,” said Sergio Lourerio, cloud security director at Outpost24.
“You’d be amazed to see the data you can find there just by simply scanning low hanging data in cloud infrastructures,” said Lourerio. “And it only takes a couple of API calls to do it. With a lot of data being migrated to the cloud for use cases like data mining, and lack of knowledge of security best practices on Azure and AWS it is very simple to get something wrong.”
Lourerio said that cloud providers such as AWS, Azure and GCP are launching tools so customers can tackle this issue. Those tools can be complemented by cloud security posture management solutions and cloud workload protection platforms.
Do you know all about security? Try our quiz!