‘Reindeer’, a New York-based digital media advertising and marketing company that is now out of business, has left an Amazon S3 bucket exposed to public access resulting in the irreversible leak of 50,000 files that account to a total of 32 GB of size.
Information exposed included about 1,400 profile photos and the details of approximately 306,000 customers in total. Personal details include name, surname, email address, date of birth, physical address, hashed passwords, and Facebook IDs. Phone numbers and physical addresses were the rarest information compromised, but nearly 100,000 of each were exposed. A total of 35 countries were included in the user count with the top 3 (the US, Canada, and Great Britain) accounting for almost 280,000 of those users.
Experts weighed-in on this incident.
Pravin Rasiah, VP of Product, CloudSphere:
“Improperly secured AWS S3 buckets are notorious for being one of the leading causes of data breaches due to misconfiguration. This is because inexperienced users can accidentally select the “all users” access option, unwittingly making the bucket publicly accessible. Unfortunately, the chances of this are all too high, leaving many unsuspecting companies leveraging S3 buckets prime targets for hackers looking to exploit sensitive data. To combat this risk, businesses must be acutely aware of any abnormalities within the cloud environment. Leveraging a cloud governance platform with holistic, real-time visibility into the cloud landscape can enable businesses to remediate issues before hackers can target them, ensuring customer data stays secure.”
Tyler Shields, CMO at JupiterOne:
Misconfigurations and errors in deployment have been exacerbated by the race to move technology to the cloud and a lack of visibility and consistent security within cloud native deployments. Unfortunately, it's very easy to make configuration and permissions / access errors within cloud native deployments. Moving forward, enterprises moving to the cloud would do well to have some system in place that tracks cyber asset state and alerts on errors for their entire cloud infrastructure.
Mohit Tiwari, Co-Founder and CEO at Symmetry Systems:
Cloud-applications and third-party plug-ins accelerate work; instead, the key underlying problem organizations care about is to secure data. That is, to ensure that specific regulated data doesn't end up in unauthorized applications, and that allowed data in these applications is tightly access-controlled. On the plus side, cloud- and SaaS-services all provide knobs to control access, so a data-security service that can overlay data security -- access control, classification, monitoring -- across cloud- and SaaS-services could allay security concerns that stem from using modern enterprise tools.
Douglas Murray, CEO at Valtix:
Public Cloud brings a whole host of new issues to which organizations are still adapting. The case of the Reindeer breach raises serious questions about the shared responsibility model and certainly highlights the need for a layered defense.
When it comes to PaaS services, like S3, organizations must implement network-based access controls and apply security policies to protect against sensitive data exfiltration. These are accepted best practices in the security world, yet most organizations are not applying effective network security in the cloud. A multi-cloud network security platform could have helped simplify and improve security in this case.