Walmart jewelry partner MBM Company managed a misconfigured S3 bucket discovered by Kromtech Security.
Walmart jewelry partner MBM Company managed a misconfigured S3 bucket discovered by Kromtech Security.

Personal information belonging to 1.3 million customers of Walmart jewelry partner MBM Company has been exposed because yet another Amazon S3 bucket was left open on the internet.

The open S3 bucket, named “walmartsql,” housed an MSSQL database backup, named MBMWEB_backup_2018_01_13_003008_2864410.bak, that “contained internal MBM mailing lists, encrypted credit card details, payment details, promo codes, and item orders, which gives the appearance that this is the main customer database for MBM Company Inc.,” according to a report by Kromtech Security, which discovered the open server on Feb. 3. Dates on the records ranged from 2000 to early 2018.

“The negligence of leaving a storage bucket open to the public after the publication of so many other vulnerable Amazon S3 buckets is simple ignorance,” Kromtech said in a report detailing its findings. “Furthermore, to store an unprotected database file containing sensitive customer data in it anywhere directly online is astonishing, and it is completely unfathomable that any company store passwords in plain text instead of encrypting them.”

Fred Kneip, CEO at CyberGRX, said the implications are reminiscent of the breach that hit Target a few years ago. “A small third party that most people have never heard of has its weak security controls exploited, allowing hackers to access customer data from a major retailer whose name gets dragged into headlines, affecting the retailer's reputation and bottom line. That sentence describes the infamous 2013 Target breach where attackers compromised a small HVAC vendor, but could just as easily be applied to the recent Walmart breach caused by a jewelry partner,” said Kneip. “Hackers are increasingly targeting vendors, partners and other third parties to access sensitive data, and retailers need to understand that they are going to be held responsible for the security shortcomings of any third party in their digital ecosystem.”

Noting that “organizations must understand where they are storing their data, whether the storage system is appropriate for the data they're keeping there, and whether they have the internal resources to responsibly secure those data systems,” Threat Stack CSO Sam Bisbee said, “the onus must also be on AWS” because while “the shared responsibility model for security is accurate and fair,” it's starting “to feel disingenuous as AWS continues to release point solution tools, yet leaks keep occurring.”

Threat Stack's research shows that open storage buckets aren't limited to S3 buckets, but “nearly three-quarters of organizations have critical AWS misconfigurations of some kind,” particularly “large organizations that have grown rapidly over time, both organically and inorganically, and often rely on third parties.”

Bisbee explained that “it can be very difficult to maintain security visibility into your infrastructure as assumed knowledge gets dispersed, particularly as business leaders continually prioritize speed over security."