Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity

    Cloud Data Leak Exposes Information on 123 Million Americans

    By
    Sean Michael Kerner
    -
    December 20, 2017
    Share
    Facebook
    Twitter
    Linkedin
      New Google Cloud DLP Features

      Time and again over the course of 2017, security researchers have discovered personally identifiable information sitting on publicly accessible Amazon S3 cloud storage instances. 

      The latest company to misconfigure cloud data storage is data analytics firm Alteryx, which exposed information on 123 million American households in a data leak reported by security firm UpGuard on Dec. 19.

      “Exposed within the repository are massive data sets belonging to Alteryx partner Experian, the consumer credit reporting agency, as well as the US Census Bureau, providing data sets from both Experian and the 2010 US Census,” Dan O’Sullivan, cyber resilience analyst at UpGuard, wrote in a blog post. “While the Census data consists entirely of publicly accessible statistics and information, Experian’s ConsumerView marketing database, a product sold to other enterprises, contains a mix of public details and more sensitive data.”

      The misconfigured Amazon S3 storage instance was discovered by UpGuard Director of Cyber Risk Research Chris Vickery, who reported the issue to Alteryx so that it could be fixed.

      Vickery and his team at UpGuard have reported a number of similar instances of improperly configured Amazon S3 storage instances over the course of 2017. On July 12, UpGuard reported that information on 6 million Verizon customers was left exposed on a cloud server. On Oct. 10, the company disclosed that Accenture had left some data publicly available on S3.

      More recently, on Nov. 17, UpGuard reported that it found publicly accessible S3 storage that included information from Department of Defense data collection activities conducted by CENTCOM. The archive included 1.8 billion posts of internet data from social media sites and web forums collected over an eight-year time period.

      While every incident disclosed by UpGuard has its own nuanced root cause, the basic fault is the same, with some form of misconfigured permissions in a company’s use of Amazon S3 storage. In the Alteryx incident, the data wasn’t publicly accessible to anyone on the internet, but rather to anyone who was logged into AWS.

      “While the default security setting for S3 buckets would allow only specifically authorized users to access the contents, this bucket was configured via permission settings to allow any AWS ‘Authenticated Users’ to download its stored data,” O’Sullivan wrote. “In practical terms, an AWS ‘authenticated user’ is any user that has an Amazon AWS account.”

      How Organizations Can Secure Amazon S3 Buckets

      Amazon Web Services has not sat idly by in 2017 as UpGuard and other firms have revealed S3 data leakage incidents. Using tools and services made available by AWS, S3 users can safely and securely store data in the cloud.

      Among the tools that AWS now offers is the Macie machine learning service that was announced on Aug. 14. With Macie, an organization can scan its S3 instances and identify if any personally identifiable information is present. The AWS Config service has also been improved in 2017 with new rules that enable organizations to block public read and writes to S3 storage instances. AWS Config provides policy and configuration settings for cloud services.

      In addition, as of Nov. 8, it’s also easier than ever before to protect S3 data with encryption. S3 now includes a policy option that can make sure that all objects in a storage bucket are encrypted by default. Without encryption for an S3 storage bucket, if data is leaked, an attacker will have full access to all the unencrypted data. With encryption, even in the event of a data breach or leak, the data will not be immediately usable by an attacker. 

      No doubt, UpGuard and other security researchers will find other organizations that have left data exposed in Amazon S3 in the months ahead. That doesn’t mean the cloud is not secure. If organizations make use of the tools that Amazon provides, configure S3 storage for least privilege and make use of encryption, the day could soon come when cloud data leaks become a thing of the past.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×