Time Warner Cable, now known as Spectrum, became the latest company to realize exactly how vulnerable its data is when a third-party vendor entrusted with its safety made an error exposing millions of records.
Kromtech Security Center researchers discovered late last week that about four million Time Warner customer records were exposed when it found two cloud-based AWS S3 buckets, connected to software and service provider BroadSoft, open to the public. The information compromised spanned the period from November 10, 2010 to July 7, 2017, and included transaction numbers, MAC numbers, user names, account numbers types of service purchased along with internal development information like SQL database dumps and code with login credentials, Kromtech said.
“They used Amazon's cloud but misconfigured it by leaving it accessible. Amazon AWS buckets are protected by default but somehow were left publically available. It is most likely that they were forgotten by engineers and never closed the public configuration. This would allow anyone with an internet connection to access extremely sensitive documents,” Kromtech wrote.
Kromtech notified Broadsoft on August 29.
"A vendor has notified us that certain non-financial information of legacy Time Warner Cable customers who used the MyTWC app became potentially visible by external sources. Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them. There is no indication that any Charter systems were impacted," a Charter spokesperson told SC Media in an emailed statement.
This type of breach reveals that cybercriminals don't even have to put forth any effort to extract confidential information, but can rely on the poor practices of others to do the heavy lifting, said industry sources.
"The Broadsoft episode underscores the relevance of the age-old aphorism 'never attribute to malice that which can be reasonably explained by stupidity.” Visibility into your vendors' controls via a comprehensive third party risk management program provides insight into not just the controls and technologies that prevent or mitigate attacks by the bad guys, but also the procedures and policies that are meant to prevent untrained or careless employees acting innocently to inadvertently expose sensitive data in the vendors' custody,” said Jeff Hill, Prevalent's director of product management.
Time Warner joined the private security firm TigerSwan with having a vendor leave open to the public an AWS S3 server exposing the resumes of more than 9,000 former U.S. military members.
The fact that so many firms are being victimized in the same manner shows they are not placing the proper priority on off-premise security, said RedLock CEO Varun Badhwar.
Just as most organizations have adopted advanced threat defense solutions for their on-premise networks, they should also consider implementing solutions that provide advanced threat defense for the cloud. But the reality is this is not happening for the majority of organizations,” he told SC Media.