In addition to the cyber security firm, the 343GB worth of leaked data belongs to universities, an insurance firm, non-profit, and public limited firms.
If we could get a penny for every time we reported an unsecured server getting found, perhaps it would amount to vacation dollars.
In another recent incident, security researchers named Noam Rotem and Ran Locar from vpnMentor have reported on an unsecured AWS S3 bucket containing over 5.5 million files and worth 343GB of data which was found on December 20, 2019, but they could disclose it now only due to responsible disclosure practices.
The main database allegedly belongs to a US-based project management company called InMotionNow who has clients both in the States and France placing the data of a number of companies at risk. The list includes the data of the following:
- Universities including Kent State & Purdue
- ISC2.org – a cyber security firm
- Brotherhood Mutual – an insurance company
- Public limited companies such as Zagg & Myriad Genetics – both listed on the NASDAQ stock exchange
- Freedom Forum Institute – a Non-profit organization & others.
According to vpnMentor’s blog post, the data exposed in the incident include business intelligence, analytic reports, internal presentations with confidential information such as customer count, company strategies, annual revenues, and product labels.
Moreover, the database also included email addresses as a part of mailing lists and finally directly related to universities, personally identifiable information (PII) including full names, physical addresses, phone numbers, donation amounts, and the credentials of donors such as their degree and year.
All of this data can place these companies and their employees at both personal risk and a loss of their business as well. For example, the market strategies & other analytical reports exposed can allow competing businesses to take advantage of and adapt accordingly.
To conclude, all the involved stakeholders were notified by the researchers and so the bucket was secured on February 17, 2020.
For the future, our advice remains the same for everyone who has a database – make sure you use strong alphanumeric passwords along with 2FA and also train your employees to guard them against any social engineering tactics. Even though a recipient of your energy in the short term, it pays off in the long haul through greater customer trust.