Dow Jones believes 2.2 million records were potentially exposed to public viewing.
Dow Jones believes 2.2 million records were potentially exposed to public viewing.

A misconfigured database on an Amazon S3 server may have exposed the data of between two and four million Dow Jones & Co. customers, a report on the incident stated.

Dow Jones confirmed to SC Media that at it believes 2.2 million records were potentially exposed to public viewing, an event it described as a “data over-exposure”, not a breach” but UpGuard's Cyber Risk Team “conservatively” pushed that number up to 4 million. UpGuard's Director of Cyber Risk Research Chris Vickery on May 30 came across the Amazon S3 cloud-based data repository discovering it was accessible to AWS authenticated users. He was then able to download 2GB of data, which contained texts logs of Dow Jones customer data.

“However, per analysis of the size and composition of the repository, UpGuard conservatively estimates that the number may be as high as four million, though duplicated subscriptions may account for some of the difference,” the UpGuard report stated.

The downloaded database contained customer names, internal Dow Jones customer IDs, home and business addresses. Perhaps most critical was the inclusion of the last four digits of customer credit cards in the files, as well as customer email addresses also used to login to their accounts which could be used in compiling a phishing attack, UpGuard warned.

Dow Jones' Director of Communications Steve Severinghaus told SC Media that the data was “over-exposed” only on AWS and not the internet. In addition, the incident was not due to an unauthorized person gaining entry.

“This was due to an internal error, not a hack or attack. The customer information included basic contact information; it did not include full credit card or account login information that could pose a significant risk for consumers or require notification,” Severinghaus said, adding the company has no evidence that any of the exposed data was taken.

UpGuard also cannot tell at this point if any information has been accessed by malicious actors.