Cloud Security, Compliance Management, Network Security

Wide open Apache Airflow server at Universal Music Group contractor exposes FTP, SQL, AWS credentials

An unsecured Apache Airflow server at cloud data storage contractor Agilisium exposed internal FTP credentials, SQL passwords and AWS secret access key and password information for Universal Music Group.

Researchers at the Kromtech Security Center, who discovered the unprotected server, said in a blog post that because Airflow is wide open by default, organizations “must take the steps to secure the server,” steps that “were obviously skipped by whomever set up this server.”

By failing to adequately safeguard the server, “they inadvertently exposed everything,” Kromtech researchers wrote.

“The amount of damage a single contractor with lax security controls can do is staggering. If you don't believe that, just ask Target and the HVAC contractor that led to that infamous breach,” said Bryan Gale, chief product office at CyberGRX. “Universal Music Group interacts with thousands of third parties on a daily basis, and it only took one – a contractor who forgot to password protect an Apache Airflow server – to leave the keys to the kingdom exposed.”

Gale said these incidents will continue “until organizations start prioritizing third-party risk management and actively maintain ongoing visibility into their ecosystem.”  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.