There have been a number of serious data breaches due to misconfigured servers that leave the information publicly exposed. A medical practice’s database server breached over 40,000 patient and staff records, and was only discovered by a cyber risk firm who was proactively searching the web.
In Q4 2017, Accenture left four of its AWS S3 buckets open to the public and exposed confidential API data, customer information and certificates, 40,000 passwords, secret decryption keys, software for the Accenture Cloud Platform offering and other sensitive data – almost all of which was stored in plain text. A misconfigured backup server exposed the information of an estimated 7,000 Bronx Lebanon Hospital patients.
The Verizon breach was also caused by a misconfigured AWS server where a basic access control setting was not applied to the cloud instance of AWS. Encryption had also not been applied to the storage volume within AWS by the thrid-party vendor who managed the systems.
Should you be worried about this within your own network? How prevelant is this issue?
A white hat hacker on Peerlyst tracking publicly accessible Amazon S3 buckets listed these for Feb 2018:
This shared responsibility and the relationships organizations have with third-party vendors are especially important to keep top of mind as regulators begin passing legislation that imposes specific data privacy requirements for companies, such as the E.U.’s General Data Protection Regulation (GDPR). If a company stores any data on European citizens in the cloud, it should ask 3rd party providers specific questions to help ensure they comply.
The risk is clear. Cloud security is one aspect of your overall cybersecurity that should not be overlooked, and a cybersecurity assessment of the cloud systems could save you from a major exposure.