Ethical hackers WizCase found another major case of S3 buckets being exposed, this time from a defunct advertising company where data was dated as far back as May 2, 2007.
The marketing company was Reindeer, an American firm previously associated with Patrón Tequila, Tiffany & Co., and clothing brand Jack Wills. The breach exposed customers’ names, dates of birth, email addresses, physical addresses, and phone numbers on 306,000 customers.
A total of 35 countries were included in the user count, with the top three — the United States, Canada, and Great Britain — accounting for almost 280,000 of the users.
Although the default configuration for S3 buckets is closed to the public internet, S3 has become a security timebomb, said Ryan Davis, senior manager, cloud product marketing at ExtraHop. He added that relying on the default configuration assumes that only people within the organization are using it, but companies performing third-party services, like Reindeer Company, often need to share the data collected.
“An IT technician needs to quickly provision and configure resources to get some storage to deliver content,” Davis explained. “They spin up an S3 container and everything is good to go. The problem is that when this IT person provisions storage, he or she may not know how to secure it and there's nothing to prevent the technician from doing it insecurely, or to alert anyone else to the fact that it's insecure or even that it has been opened up in the first place. That may be what happened here, given that the company shut its doors a few years ago yet the data was left exposed.”
Douglas Murray, CEO at Valtix said, the public cloud brings a whole host of new issues to which organizations are still adapting, adding that the Reindeer breach raises serious questions about the shared responsibility model and highlights the need for a layered defense.
“When it comes to PaaS services, like S3, organizations must implement network-based access controls and apply security policies to protect against sensitive data exfiltration,” Murray said. “These are accepted best practices in the security world, yet most organizations are not applying effective network security in the cloud. A multi-cloud network security platform could have helped simplify and improve security in this case.”