Researchers with Wizcase have published details on a major breach exposing a number of US cities, all of them using the same web service provider, mapsonline.net from PeopleGIS. The breach compromised citizens’ physical addresses, phone numbers, IDs, tax documents, and more, which was stored in several misconfigured Amazon S3 buckets that were sharing similar naming conventions to MapsOnline.
Trevor Morgan, product manager with data security specialists comforte AG weighed-in:
“The report that dozens of U.S. municipalities suffered from an expansive data breach related to mapsonline.net points once again to some very common knowledge: a large number of incidents and breaches can be traced back not to aggressive attacks but rather from human error, especially where cloud-service configurations are concerned. In this incident, misconfigured S3 buckets ultimately led to 86 exposed S3 buckets with no password protection or associated data encryption.
Enterprises should take heed of this very common situation and start building a culture of data privacy and security within their organizations which places a premium on employees at all levels embracing quality of processes over speedy execution. Often, in their desire to be hyper-agile, organizations can overlook very basic and common-sense defensive measures. A culture of data privacy and security also puts investments behind the most complete data security toolkits, including data-centric security like tokenization and format-preserving encryption that go well beyond classic encryption and password protection. Tokenization replaces sensitive data elements with representational tokens that, even if in the wrong hands, cannot be leveraged by hackers and other threat actors. Sensitive data that has been tokenized is meaningless and thus worthless on the black market.
This isn’t the first S3 bucket misconfiguration we’ve seen that leads to a data breach, but unfortunately it won’t be the last, either.”
Alicia Townsend, technology evangelist with identity management provider OneLogin added:
“Organizations today need to have a clear understanding of where and how they are storing user data. Not only do these organizations need to ensure this data is protected where it lives today, they need to ensure that their employees are educated about the importance of protecting user data going forward. When everyone understands how crucial it is to protect user data and what that means then it is harder for incidents like this to slip through the cracks.”