Subscribe To Our Daily Enewsletter:

Amazon AWS Cloud Data Leak: Dow Jones Suffers Massive Exposure

Dow Jones, parent of The Wall Street Journal, is the latest company to misconfigure Amazon Web Services (AWS) and expose mission critical data on the public cloud. The issue apparently involved a contractor.

Independent security researcher Bob Diachenko discovered the massive Dow Jones Watchlist dataset, sitting on a public Elasticsearch cluster. It was 4.4GB in size and available for public access to anyone who knew where to look, the researcher says.

The database, he notes, contained 2.4 million records detailing such extremely sensitive information as:

  • global coverage of senior Politically Expose Persons, their relatives, close associates, and associated companies ;
  • national and international government sanction lists and categories;
  • persons officially linked to, or convicted of, high-profile crimes; and
  • profile notes from Dow Jones including citing federal agencies and law enforcement sources.

As one PR market watcher put it: “The indexed, tagged and searchable list includes current and former politicians, citizens with alleged criminal histories and possible terrorist links, and companies under sanctions or convicted of high-profile financial crimes. The exposed records include names, addresses, locations, dates of birth, genders, whether they are deceased or not, and in some cases, photographs.”

MSSP Alert has reached out to Dow Jones for comment.

AWS Cloud Data Leaks: User Error Deja Vu

It’s a familiar, painful story: A big service provider and/or one of its consultants puts data on AWS, but fails to properly secure the information. Generally speaking, all of the recent AWS cloud data leaks involved user error rather than any security issues at the cloud company.

Example data leaks involving AWS include:

Amazon Web Services (AWS) Security Tools

Although the data leaks above involved user error, Amazon has been taking steps to further simplify and fortify security across its cloud services.

The effort includes AWS Security Hub and AWS Secrets Manager.

Return Home

2 Comments

Comments

    Bielo Wilkes:

    Based my understanding of AWS and it’s services, the title of the article appears to be misleading. AWS was not breached, the resources of the customer were breached because they failed to secure those resources.

    The title gives the inclination that AWS was at fault even though the opening sentence clarifies what actually occurred, just seems like fake news. How’s this for a clarification? The Wall Street Journal Misconfigures Its Security. Opening sentence. A massive data leak occurred because of misconfigured security settings in the AWS platform, AWS not the cause of the leak.

    Joe Panettieri:

    Bielo: You raise valid points. I’ll keep them in mind as we continue to cover cloud-related security and configuration issues, and the true cause of such issues.
    -jp

    Joe Panetteri
    Content Czar, MSSP Alert
    EVP, After Nines Inc.
    Joe@AfterNines.com

Leave a Reply

Your email address will not be published. Required fields are marked *