[BreachExchange] Open database exposes 425 GB of financial companies’ data

Destry Winant destry at riskbasedsecurity.com
Tue Apr 7 10:35:35 EDT 2020 

http://www.digitaljournal.com/tech-and-science/technology/open-database-exposes-425-gb-of-financial-companies-data/article/569816

Researchers at vpnMentor have shared news about a recent data leak
which exposed 425 GB in sensitive financial documents. The research
team, led by Noam Rotem, uncovered an open database on an app
developed by Advantage Capital Funding and Argus Capital Funding.
The app, which is now no longer available for download, stored data on
an AWS S3 bucket database which apparently did not employ any form of
encryptions, authentication, or access credentials. The consequence
was that over 500,000 documents were left vulnerable on the
unprotected server and included credit reports, bank statements,
contracts, legal documents, driver’s license copies, purchase orders
and receipts, tax returns, Social Security information and transaction
reports.
Anurag Kahol, CTO, Bitglass, tells Digital Journal just how vulnerable
cloud systems can be, if they are not properly configured: "According
to Verizon, misconfiguration of cloud platforms accounted for 21
percent of breaches caused by errors. Cloud security is a shared
responsibility between the cloud service provider and the
organization. However, it is still the company's responsibility that
use services like AWS to ensure that data storage buckets are
configured correctly and are properly secured. Personally identifiable
information (PII) should never be accessible by unauthorized parties
as this kind of information can enable identity theft and targeted
spear-phishing campaigns."
With the specific issue, Kahol describes: "This leak of 425 GB of
company and client data could have been avoided by using data-centric
security tools that ensure proper configuration of cloud services,
deny unauthorized access, enforce real-time access control, detect
misconfigurations, encrypt sensitive data at rest, manage the sharing
of data with external parties, and prevent data leakage."
In terms of general advice, Kahol concludes: "Companies must deploy
security solutions that provide the breadth and depth of capabilities
needed in order to maintain complete visibility and control over data
in the cloud.”


Read more: http://www.digitaljournal.com/tech-and-science/technology/open-database-exposes-425-gb-of-financial-companies-data/article/569816#ixzz6IwC69fkt

More information about the BreachExchange mailing list