Another web server misconfiguration, this time by Viacom, led to the exposure of the company’s entire IT infrastructure as well as secret keys for its AWS account.
Viacom has confirmed that no employee or customer information was accessed by hackers following the exposure.
Global media corporation Viacom came within inches of an unprecedented data breach after a server misconfiguration exposed the company’s entire IT infrastructure on an unsecured Amazon cloud server.
The owner of Paramount Pictures, as well as hundreds of television channels including MTV, Comedy Central, VH1 and Nickelodeon, could have lost control of its vast IT infrastructure had cyber criminals stumbled upon the unsecured web server before a team of alert cyber security experts did.
Chris Vickery, Director of Cyber Risk Research at security firm UpGuard, discovered the publicly downloadable Amazon Web Services S3 cloud storage bucket on August 30th. Upon further analysis, he noted that the repository contained data that had been created post-June of this year and included details associated with its associated brands, including MTV, VH1, and Comedy Central.
The unsecured database also included details about Viacom’s Multiplatform Compute Services (MCS) which supports the infrastructure for hundreds of Viacom’s online properties, including MTV, Nickelodeon, Comedy Central, Paramount, and BET.
“While Viacom has not confirmed to UpGuard the purpose of this bucket, the contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom’s IT infrastructure,” said UpGuard.
“Exposed within this repository are not only passwords and manifests for Viacom’s servers, data needed to maintain and expand the IT infrastructure of an $18 billion multinational corporation, but perhaps more significantly, Viacom’s access key and secret key for the corporation’s AWS account. By exposing these credentials, control of Viacom’s servers, storage, or databases under the AWS account could have been compromised.”
Vickery alerted Viacom about the exposed Amazon S3 could database on August 31st, following which the company rectified the issue. Had the issue not been rectified or discovered in time, hackers could have used Viacom’s brand recognition and its digital properties to carry out phishing campaigns and trick customers into revealing their personal details.
At the same time, hackers could have used secret access keys to Viacom’s Amazon Web Server account to spin off additional servers to use Viacom IT systems as a botnet.
‘The leaked Viacom data is remarkably potent and of great significance, an important reminder that cloud leaks need not be large in disk size to be devastating; when it comes to data exposures, quality can be as vital as quantity,’ the firm concluded.
Viacom’s error, which could have easily turned into a massive data breach or a phishing scam, is another example of large enterprises not giving the required attention to security concerns while moving their infrastructure onto cloud services like Microsoft’s Azure or Amazon’s AWS cloud.
In the UK, a large number of businesses are in favour of cloud adoption despite many of them being unconvinced about the present levels of security offered by leading cloud services. A recent survey of over 500 senior executives across UK firms by software firm Advanced revealed that 80% of them wanted to go for cloud technologies despite 82% of them asking cloud providers to do more to build confidence among client businesses and customers.
“As an industry and profession, we all need to proactively give clear guidance on security responsibilities and support organisations in being better protected, ensuring devices and applications are properly patched and secured – those writing the software are clearly best placed to provide this. With General Data Protection Regulation (GDPR) coming into force next year we also have a duty of care to provide clarity on how data is being stored and secured in the Cloud.
“There’s still a job to be done in creating trust in the Cloud and helping customers use the cloud in the right way for the digital transformation that’s right for them. Our survey shows most organisations want financially stable providers and prefer those that store data locally and offer local support; this will become even more pertinent as Britain leaves the European Union. They will trust the providers that offer certainty in an uncertain market and those with a vested interest in the UK and the Cloud,” said Jon Wrennall, CTO at Advanced.