Cloud Security

S3 misconfiguration exposes sensitive data on more than 3 million senior citizens

Visitors arrive at the cloud pavillion of Amazon Web Services at a technology trade fair on March 14, 2016, in Hanover, Germany. (Sean Gallup/Getty Images)

Researchers reported earlier this week that a misconfigured Amazon S3 bucket exposed the surnames, emails, and phones numbers of more than 3 million senior citizens.

In a blog post, WizCase researchers said the misconfigured bucket belonging to SeniorAdvisor contained more than 1 million files and 182 gigabytes of data. The WizCase team has since reached out to SeniorAdvisor, and the bucket has been secured.

According to the researchers, the contact dates exposed show that the files are from 2002 to 2013, but the files themselves are timestamped 2017. The majority of exposed data was in the form of leads – a list of potential customers whose details were collected by SeniorAdvisor.

S3 configuration mistakes are all too common, though often they lead to very little being disclosed, said Andrew Barratt, managing principal, solution and investigations at Coalfire. Barratt pointed out that there are any number of threat actors constantly scanning for insecure buckets. 

“S3 endpoints are commonly used to store data for cloud-based applications,” said Barratt. “The vast resources on tap from public cloud can make simple errors have a much high magnitude. More often than not, these kinds of misconfigurations are symptomatic of insufficient planning during a cloud migration – or an overly zealous admin trying to quickly get data to someone. Frustratingly, AWS S3 buckets and objects are private by default which means these misconfigurations are entirely self-imposed.”

Tyler Shields, chief marketing officer at JupiterOne, said cyber asset visibility has become a central problem that causes these types of issues. “The speed at which organizations are moving to the cloud and building cloud-native technologies results in rapid growth in security issues from misconfiguration and an absence of asset visibility,” he said. “Having up-to-date configurations, security, and asset visibility is the foundation of a robust security program.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.