Content, Channel partners

DXC Technology Leaks AWS Cloud Private Keys on GitHub, Suffers $64K Loss

DXC Technology, the massive IT consulting firm and Top 100 MSSP, inadvertently uploaded its private Amazon Web Services (AWS) keys to an unsecured Github repository, according to The Register. The private keys were used to launch 244 AWS virtual machines (VMs) over the course of four days, and DXC paid approximately $64,000 to rectify the issue.

The Github repository was created by a member of DXC's technical staff, The Register reported. Then, the private keys were uploaded to the unsecured repository, enabling anyone to access and use them.

Most of the VMs were launched within 24 hours after the AWS private keys became available, The Register stated. However, DXC identified and removed the private keys from the Github repository within 24 hours.

In addition to removing the AWS private keys from the Github repository, all existing keys were recycled and secured, DXC said. Also, DXC has performed an internal investigation and admitted that some of its team members were "not briefed on the (company's) compliance standards and have not received adequate security training."

DXC was formed as part of a merger between CSC and the enterprise services business of Hewlett Packard Enterprise (HPE). It offers cloud, security and other IT services and solutions to nearly 6,000 private and public sector customers across 70 countries.

A Closer Look at DXC's Response to the AWS Private Key Leak

DXC may suffer consequences that extend beyond its bottom line due in part to its inability to prevent the AWS private key leak, the company indicated in a staff memo.

"Legacy CSC colleagues lost confidence in our ability as a team to maintain secure information and even complete the work required," the memo stated. "This also resulted in difficult interactions between colleagues on calls."

Furthermore, DXC offered the following tips to ensure its employees properly safeguard sensitive data in the future:

  • Understand and follow DXC security policies and procedures.
  • Secure PCs, laptops, USB memory devices, credentials, etc.
  • Encrypt sensitive data on all devices.
  • Screen-lock devices when you walk away from them.
  • Use strong passwords; never share or disclose them; and create a unique password for each application or website.
  • Leverage approved anti-malware software on your PC.
  • Accept authorized software updates and apply security patches; download only approved software.
  • Protect sensitive information, regardless of where it is stored.
  • Use collaboration tools securely.
  • Be aware of your surroundings and stay alert.
  • Report incidents to the security incident response center.
  • Do not post about the company on social media if you are not authorized to do so.

Moreover, DXC reminded its staff members that they are "one of the first lines of defense" against cybersecurity issues, The Register reported. DXC also has established a security incident exposure matrix and deployed preventative measures to further reduce the risk of data leaks.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.