Aussie Broadcaster Left Two Years of Back-ups Exposed
Australian broadcaster ABC has become the latest in a long line of companies to publicly expose highly sensitive corporate data because of misconfigured Amazon cloud databases.
Kromtech Security Center found at least two unsecured S3 buckets linked to ABC Commercial, containing 1800 daily MySQL backups dating back two years.
Also publicly exposed were several thousand emails, alongside logins and hashed passwords for ABC Commercial users.
The security firm also claimed it had access to “secret access key and login details for another repository, with advance video content”, as well as requests for licensed content sent by producers from across the globe to use ABC’s content and pay royalties.
“The publicly accessible Amazon S3 buckets was indexed by Censys (a public search engine that enables researchers to ask questions about the hosts and networks that compose the Internet) and identified during a regular security audit of misconfigured S3 environment on November 14,” explained Kromtech’s Bob Diachenko.
“It is unclear who else may have had access to ABC’s data or content. A majority of what would be considered sensitive or identifiable data came from the daily backups of ABC Commercial’s MySQL database.”
The incident should be seen as yet another cautionary tale for firms using Amazon S3. Kromtech and other security firms have discovered a large number of organizations from across the globe making the same mistakes.
In fact, just last week Kromtech Security Center discovered US ride-hailing service fasten had accidentally exposed details on one million customers for 48 hours.
Other organizations recently found wanting include Verizon, Time Warner, WWE, Dow Jones, the US Department of Defense and Tarte Cosmetics.
The latter was particularly dangerous, as cybercrime group CRU3LTY managed to get hold of the personal information on two million customers that was exposed through a database misconfiguration.
The group is said to have left a ransom note of 0.2 Bitcoins ($1193) to regain access to the data.
Source: Information Security Magazine