Hobby Lobby exposed a large amount of data online, including customer names, phone numbers, physical and email addresses, and the last four digits of their payment card, as well as source code for the company's app, according to a security researcher.
The data was as recent as 2020, impacted more than 300,000 users, and totaled at around 138GB in size, the independent and pseudonymous security researcher known as "boogeyman" who discovered the leak, told Motherboard in an online chat. Boogeyman provided multiple screenshots of the data to Motherboard for verification purposes. Those images indicate the information was hosted on an open AWS bucket, a common source for inadvertently exposed data. The data also included Hobby Lobby employee names and email addresses, Boogeyman added.
Cyber experts weighed-in on this latest open AWS bucket leak.
Hank Schless, Senior Manager, Security Solutions at Lookout:
“Misconfigured cloud resources are frequently the cause of data breaches like this one. Organizations that have transitioned to the cloud have massive infrastructure that spans thousands of host servers and other services. Amazon’s S3 service is the base data storage offering for AWS, which means it’s simple to set up and integrate S3 buckets into cloud infrastructure. Unfortunately, that simplicity they offer and the speed at which organizations scale these services up and down oftentimes means the configuration of these buckets is overlooked and the data inside is left exposed.
To mitigate the risk of a breach, organizations need to be sure they secure every aspect of their infrastructure from the individual endpoint all the way up to the cloud service itself. Advanced cloud access security broker (CASB) technology helps secure access to these resources. Coupling CASB with a security posture management tool ensures secure access and configuration of cloud infrastructure. Cloud providers offer countless supporting services and integrations that help teams build a well-architected infrastructure. Leveraging these services should be done in tandem with security teams to ensure there aren’t any misconfigurations that leave data exposed or violate compliance policies.”
Douglas Murray, CEO at Valtix:
“The Hobby Lobby incident is the latest example of why we need to take public cloud threat vectors so seriously. In 2020, spend in public cloud exceeded spend in on-prem data centers for the first time. The hackers are doing their own version of “lift and shift” and are aggressively moving to where the market is going. Just as concerning is that for every Hobby Lobby like leak that we learn about, there is another that goes undetected. It is critical that enterprises make securing their cloud data and workloads a top priority. You need a layered defense approach. Enterprises need to ensure that any endpoint exposed to internet has proper network security to detect and prevent data leakage.”