[BreachExchange] Dow Jones cloud server borkage sees personal details of '4 million customers' leaked

Tue Jul 18 19:31:17 EDT 2017

https://www.theinquirer.net/inquirer/news/3013999/dow-
jones-has-potentially-leaked-the-personal-details-of-2

A security company called UpGuard has exposed a problem with a Dow Jones
server that partially exposed the details of as many as 4 million people.

This is bad news for Dow Jones and its punters. UpGuard suggests that there
was some oversight in the setting up of the weak point, which could have
been avoided. If it has been avoided a lot of people might be the sole
owners of their own email addresses and some of their credit card details
unmolested.

"The UpGuard Cyber Risk Team can now report that a cloud-based file
repository owned by financial publishing firm Dow Jones & Company, that had
been configured to allow semi-public access exposed the sensitive personal
and financial details of millions of the company's customers," said the
firm.

"While Dow Jones has confirmed that at least 2.2 million customers were
affected, UpGuard calculations put the number closer to 4 million
accounts," said UpGuard, adding that this is just the tip of the breach
iceberg.

The exposed data includes the names, addresses, account information, email
addresses, and last four digits of credit card numbers of millions of
subscribers to Dow Jones publications like The Wall Street Journal and
Barron's.

"Also exposed in the cloud leak were the details of 1.6 million entries in
a suite of databases known as Dow Jones Risk and Compliance, a set of
subscription-only corporate intelligence programs used largely by financial
institutions for compliance with anti-money laundering regulations," the
security firm added.

Other security companies have cottoned on to what is happening and have
naturally thrown their tin foil propeller hats into the comment ring.
Christiaan Beek, lead scientist and principal engineer at McAfee, seemed to
sympathise by saying that firms face a lot of threats, but wound up blaming
human error and software.

"Companies today are battling an increasingly varied threat landscape while
managing huge amounts of data. It can be a challenge to keep close track of
where this data resides to ensure it is secure - and in this case, one
small error in the cloud resulted in a large scale exposure," he said.

"The reality is that as companies become more focused on preventing cyber
crime, they may be unconsciously shooting themselves in the foot in their
efforts to be completely secure. It is not unusual for businesses to have
over 10 security tools that require constant monitoring in order to ensure
everything is correct - meaning that unfortunately, human error becomes a
key factor in monitoring and safeguarding data."

We have asked Dow Jones to explain itself.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170718/3bc93629/attachment.html>