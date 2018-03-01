Study: SMBs lack thorough understanding of state data breach notification laws

After Upguard reported yet another exposed AWS S3 server, this time allegedly revealing Capital One financial information hosted on a server belonging to business analytics software firm Birst, the financial services company pushed back, denying that its data had been exposed.

"Birst's appliances provide security advantages that would normally protect against precisely this kind of cloud leak; by entirely cutting the on-premise Birst cloud environment off from access to the wider Internet, security misconfigurations resulting in the exposure of critical information would not be possible,” UpGuard Cyber Risk Research Director Chris Vickery wrote in a blog. "Copying that same data, however, to an Amazon S3 bucket that can be accessed by anyone entering a URL — and storing in that bucket not just the encrypted appliance, but the key needed to decrypt the data — enables precisely this kind of cloud leak to occur."

The blog detailing Vickery's findings about the exposed Birst server on the subdomain capitalone-appliance has since been removed and Capital One denied that the company's data had been at risk.

"This was simply an instance of a vendor's software that was hosted in their cloud environment,” a Capital One spokesperson said in a statement. “The referenced passwords and credentials are generic and are used for installing this software," the spokesperson claimed.

The spokesperson said, according to ITWire, that it is the financial services firm's “standard practice” to change "all default settings, including credentials, prior to deploying third-party software. Because of this, there is no impact to the security of Capital One systems and data."