Sensitive details of 2.2 million Dow Jones customers exposed on unprotected cloud storage

Sensitive details of 2.2 million Dow Jones customers exposed on unprotected cloud storage

Sensitive details of 2.2 million Dow Jones customers exposed on unprotected cloud storage

A database uploaded to Amazon's S3 cloud server by Dow Jones and configured to allow semi-public access exposed sensitive data belonging to 2.2 million customers.

The said database belonging to Dow Jones and containing customer data could be accessed by anyone with an Amazon Web Services account.

Cyber security research firm UpGuard has revealed how financial publishing firm Dow Jones, which is also the parent company of The Wall Street Journal, recently uploaded a database containing sensitive customer data to Amazon's S3 cloud server. The database was recently configured to allow semi-public access and, as the UpGuard Cyber Risk Team found out, could be accessed by anyone with an Amazon Web Services account.

Sensitive details of Bupa's insurance customers breached by rogue employee

The database contained names, customer IDs, home and business addresses, account details, last four digits of credit card numbers, email addresses and in some cases, phone numbers of millions of Dow Jones subscribers.

Even though Dow Jones has confirmed that 2.2 million customers were exposed, the UpGuard Cyber Risk Team believes the number of affected customers could be as high as 4 million.

'The revelation of this cloud leak speaks to the sustained danger of process error as a cause of data insecurity, with improper security settings allowing the leakage of the sensitive information of millions of Dow Jones customers. The data exposed in this cloud leak could be exploited by malicious actors employing a number of attack vectors already known to have been successful in the past,' noted Dan O'Sullivan from UpGuard.

'The aversion of Dow Jones and Company to notifying affected customers of this data exposure denies consumers the ability to swiftly act to protect their own personal information,' he added.

Dow Jones has played down the importance of the leaked data, stating that it "did not include full credit card or account login information that could pose a significant risk for consumers or require notification." A spokesman from Dow Jones added that the database contained only basic contact information and that there was no evidence that the information was taken.

OneLogin data breach: Hackers decrypt secured user data, apps and keys

According to UpGuard, the database offered a brilliant opportunity to cyber-criminals to use the available information to send phishing e-mails to customers by posing as The Wall Street Journal or any other publication.

"Sending official-looking emails purporting to be from the Wall Street Journal notifying customers their subscription had lapsed, or that their accounts had been compromised, malicious actors could have succeeded in convincing such high-value targets to supply credit card information, login credentials, or more," the firm noted.

It added that risky handling of customer data isn't limited to small-scale and mid-level firms but can also be committed by 'esteemed, well-known organizations occupying the upper echelons of the financial world'.

'Enterprises must start regaining control over their IT systems to ensure easily preventable mistakes are caught quickly, or face a costly digital backlash,' O'Sullivan concluded.

Earlier this month, security firm Kromtech revealed that sensitive details of 3 million WWE fans were exposed after an unsecured database belonging to the WWE Corporation was uploaded to Amazon's S3 cloud server and could be accessed by anyone 'who knew the web address to search'.

Google Home, Amazon Echo or Hive: How safe is your data?

Kromtech discovered that the database was not protected by any username or password and stored information on WWE fans in plain text. The information included income details, addresses, educational background, ethnicity, email addresses, birthdates, as well as gender and age ranges of children, the latter being optional requirements.

"In the last month, we’ve seen three high profile data incidents of this nature: Deep Root Analytics, Verizon Wireless and now Dow Jones. The difficulty with stopping this kind of thing is that it originates from human error, not malice. Just one wrong tick box in the cloud set-up process can put vast amounts of sensitive customer data at risk," says Rich Campagna, CEO at Bitglass.

"Organisations must realise that they are responsible for configuring the cloud services they use in a secure manner. For Dow Jones, there are a host of technologies available today that could have quickly, easily and cost effectively ensured appropriate configuration of the cloud service and encrypted the customer data, en route to the cloud. This could have ensured that, in the event of unauthorised access, the data would have been protected," he added.

Copyright Lyonsdown Limited 2020

Top Articles

Universal Health Services lost $67m to a Ryuk ransomware attack last year

Universal Health Services said the cyber attack cost it $67 million in remediation efforts, loss of acute care services, and other expenses.

How the human immune system inspired a new approach to cyber-security

Artificial intelligence is being used to understand what’s ‘normal’ inside digital systems and autonomously fight back against cyber-threats

Solarwinds CEO blames former intern for hilarious password fiasco

SolarWinds has accused a former intern of creating a very weak password for its update server and storing it on a GitHub server for months.

Related Articles