London-based SSL247, a reseller of a range of internet security products, misconfigured an AWS S3 bucket that resulted in the exposure of the personal information of up to 350,000 users who made purchases on the company's website.
Headquartered in London, SSL247 Ltd is in the business of selling secure SSL certificates, digital IDs and managed PKIs for identity management, and also provides automated and human vulnerability assessment services along with accredited penetration testing and auditing services.
Founded in 2003, SSL247 has a major presence in South America, the Middle East, North America, Europe, and Africa as a leader in the web security industry and offers various products and services in partnership with Symantec, Globalsign, Qualys, Thales e-Security, and Norton.
On 5th May this year, security researchers at vpnMentor discovered a misconfigured Amazon Web Services S3 bucket owned by SSL247 that contained an estimated 465,000 files that took up 158GB of space. These files were found containing the personal information of up to 350,000 users who purchased security products through SSL247.
According to vpnMentor, the misconfigured S3 bucket was used by SSL247 to store customer-related documents such as invoices, purchase orders, account documents, and customer lists dating back to 2012. These documents contained Personally Identifiable Information (PII) data of private individuals and companies such as full names, email addresses, phone numbers, personal and business addresses, company details, profile photos, credit filings and financial data, and SSL247 account information.
The misconfigured bucket was also found containing files related to marketing and promotion for SSL247’s services and products as well as some records associated with the company’s internal operations and finances.
SSL247 did not acknowledge researchers' report on the data leak
"For a company dedicated to internet privacy to expose such sensitive data belonging to a large group of people is incredibly negligent. Anonymity is the core function of products like SSL certificates, so by breaching this anonymity and exposing the identities of its customers, SSL247 has failed in its most basic function as a business. By not securing this data, SSL247 compromised the safety and security of its customers and jeopardized its future as a respected company in the internet security industry," vpnMentor said.
While it is not known whether the exposed S3 bucket was accessed by cyber criminals, the firm said that if data stored in the bucket fell in the hands of hackers, SSL247 could have faced financial ruin and a major reputational loss, just like Dutch certificate authority DigiNotar which lost the trust of every web browser in 2011 after hackers used fraudulent DigiNotar certificates to initiate man-in-the-middle attacks.
"SSL247 risks losing trust from users and damage to its reputation as a result of the breach. Storing such sensitive, private customer data in a publicly accessible S3 bucket is a fundamental lapse in data security for any company, but especially one reselling security products," the firm said.
The vpnMentor research team was also very much surprised by the attitude of SSL247 when they contacted the company to report the massive leak of customer records. Instead of acknowledging the alert or checking it out, a senior representative from the company said: “I very much doubt it.”
The exposed AWS S3 bucket was finally closed to public access a few days later when the vpnMentor research team contacted AWS directly to report the breach. "For such a well-regarded company within the internet security industry to react in this way is surprising and disheartening," the firm added.
Commenting on the massive leak of customer records perpetrated by SSL247, Mark Bower, SVP Data Security Specialist at comforte AG, said that the cloud itself represents the ultimate third party risk, and minimum viable compliance is proven yet again to be nowhere close enough to minimum viable security.
"The twist is that shared responsibility model for the cloud puts 100% the responsibility on the data owner when they are responsible to secure, configure, and control the cloud they are using. This is a classic and preventable case of breakdown - assuming the cloud’s controls are in place or sufficient, and illustrating the weak reliance on checklists and humans to enforce them.
"So many organisations rely on risk assessments instead of hard, proven controls like encryption and tokenization of data. The former may meet a policy, but only the latter will stop data theft when misconfiguration, attack, or error leaves data exposed," he added.