Time Warner Cable customers are the latest to be affected by the exposure of sensitive personal data on misconfigured cloud servers
Millions of records containing the personal details of Time Warner Cable (TWC) customers have been discovered in a publicly accessible storage repository.
Security researchers at Kromtech, which makes the MacKeeper antivirus software, said they discovered the data on 24 August while researching another leak involving World Wrestling Entertainment (WWE).
Amazon S3 buckets exposed
They discovered two repositories hosted using Amazon’s S3 cloud storage service, neither requiring a password for access.
The repositories were linked to BroadSoft, a US-based company with offices worldwide that provides services to large communications companies including AT&T, Sprint and Vodafone.
TWC, which was acquired by Charter Communications last year and is now called Spectrum, said the data related to users of the MyTWC mobile application used to remotely manage accounts, which was developed by BroadSoft.
“We were notified by a vendor that certain non-financial information of legacy Time Warner Cable customers who used the MyTWC app became potentially visible by external sources,” Charter said in a statement.
The company said the data had been removed and the incident was being investigated.
“We encourage customers who used the MyTWC app to change their user names and passwords,” Charter stated.
The data included usernames, email addresses, MAC addresses, device serial numbers and financial transaction information, although it doesn’t appear that social security numbers or credit card information was involved.
Other databases included billing addresses, phone numbers and other contact information.
One of the databases contained four million records relating to customers, but some were duplicates, meaning less than four million individual users were likely to have been affected.
Kromtech said it would take “weeks” to sort through the files, which amount to more than 600 GB of data.
The repositories also included internal company records, including SQL database dumps, internal emails and code containing the credentials for accessing external systems and access logs.
“These are all things that should not be publicly available online,” Kromtech said in an advisory.
BroadSoft confirmed the leak but said it did not believe sensitive data was involved. The company said it was investigating.
Inadvertent data leaks have become more frequent as it becomes more common for companies to make use of cloud-based service providers, whose data is accessible by anyone unless protections are in place.
In July it was disclosed that Verizon had exposed data on about 6 million customers by misconfiguring an Amazon S3 bucket, and similar incidents have affected voter information held by the Republican National Committee (RNC) and customer data exposed by wrestling entertainment company WWE.
The RNC breach, disclosed in June, affected more than 198 million people, or about 61 percent of the US population, and was the country’s largest-ever voter data exposure.
Last month Amazon announced a machine learning-based tool aimed at spotting such security lapses. ‘Macie’, a fully managed service, scans users’ data repositories for sensitive data including personal information or intellectual property and uses machine learning to establish a baseline for how it’s typically accessed. The system then generates alerts when it detects unauthorised access or inadvertent data leaks.
Ironically, Kromtech itself was the subject of a data leak in December 2015, when researcher Chris Vickery discovered the company had left 21 GB of customer data exposed on servers that required no authentication and were open to external connections.
How well do you know the cloud? Try our quiz!