A Dow Jones list of 2.4 million people considered at risk for bribery and corruption, as well as high-profile criminals and terrorists, sat out in the open on an unsecured online database, a researcher has found.
Commenting on the story are the following security experts:
Warren Poschman, senior solution architect at comforte AG:
“In a regrettable trend, Dow Jones & Co. is yet another example of a company that has failed its customers without taking proper security measures – and twice now. Surely, heads will roll in their IT organization but it’s their customers that are left at risk and bearing the pain of the identity theft and privacy failures. Really, it’s a classic case of a company wanting to invest in the cool technology, in this case, Elasticsearch and AWS S3 buckets, but they’ve not understood the security ramifications of this technology. Organizations need to adopt data security to protect their data, wherever it may exist or whoever may be managing it on their behalf. A data-centric security model allows a company to protect data and use it while it is protected for analytics and data sharing on cloud-based resources. These incidents would have been preventable with such a model – and if a 3rd party or partner has a security lapse, instead of trying to shift blame, Dow Jones would be talking about how it proactively protected its customers from such threats.”
“This is another case of sensitive data on Elasticsearch clusters being left wide open on the internet, and it happens to be hosted on AWS. We’ve seen this time and time again – companies using Elasticsearch for analytics or big data projects and making careless mistakes in the misconfiguration.