Unsecured Amazon database exposes sensitive information on British Consultancy Firms- Comment

It has been reported that an unsecured database on Amazon has been discovered exposing sensitive information on thousands of British consultancy firms as well as working professionals. The database was found by Noam Rotem and Ran Locar, two researchers at cyber security firm vpnMentor, who claimed that it was stored on an Amazon Web Services (AWS) S3 bucket and was leaking information belonging to HR departments of various British consultancy firms, as well as professionals. The researchers said they were able to see all files stored in the database, including thousands of passport scans, tax documents, background checks, job applications, expense forms, scanned contracts, emails, and salary details.


Robert Ramsden Board, VP EMEA at Securonix, has offered the following commentary:


“Given the sensitive nature of the information exposed in this leak, if this database had been discovered by criminal hackers, the security and privacy consequences for those whose data had been exposed could be great. Individuals incur a heightened risk of experiencing threats such as identity theft and phishing scams.


This may be one of the first data incidents of 2020, but it follows a very similar pattern to numerous data leaks in 2019. Practising basic cyber hygiene is a must for all organisations, particularly those that are trusted with our most sensitive data, and in 2020 those that fail to secure their databases should be held accountable.”


Corin Imai, senior security advisor at DomainTools:

“Personal Identifiable Information is often sold by cybercriminals, who find creative ways to exploit it in attacks such as targeted spear phishing campaigns, account compromise and identity theft. Anyone with an association to the consultancy firm whose data was left exposed on the encrypted database should take preventive measures to avoid falling victim of a scam, such as being weary of emails coming from unknown senders and avoiding to click on links and attachments they don’t recognise.

In turn, organisations that store data in the cloud should make sure they understand their role in securing it: cloud providers are responsible for the security of the cloud, but customers are still in charge of securing what they choose to store in it.”

Sergio Lourerio, Cloud Security Director at Outpost24:

“Today, we are still in the early days of cloud infrastructures security and what we are seeing a prevalence of opportunistic, not very sophisticated attacks, such as looking for publicly accessible AWS S3 data buckets. You’d be amazed to see the data you can find there just by simply scanning low hanging data in cloud infrastructures. And it only takes a couple of API calls to do it. With a lot of data being migrated to the cloud for use cases like data mining, and lack of knowledge of security best practices on Azure and AWS it is very simple to get something wrong.

The solution for low hanging data is to perform continuous data risk assessments before the attackers do. This can be automated and not another big burden for security teams. For more sophisticated attacks such as ransomware, the data risk assessments help preventing them as well by not leaving your data storage open and tighten the scope of data that ransomware may access. Today, cloud providers such as AWS, Azure and GCP are launching tools to customers to tackle this issue, which can be complemented by cloud security posture management solutions and cloud workload protection platforms using the terminology by Gartner.”