Another Amazon AWS Cloud Data Leak: 14M Verizon Customer Records Exposed
Data from 14 million Verizon customers has been exposed on the Amazon Web Services (AWS) Simple Storage Service (S3), ZDnet reported. While Amazon is not to blame for this latest cloud data leak, the news reinforces a familiar theme: AWS users and contractors are failing to properly configure and secure their cloud accounts.
According to the report:
“As many as 14 million records of subscribers who called the phone giant’s customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra’anana, Israel-based company. The data was downloadable by anyone with the easy-to-guess web address.”
This is at least the third time in recent weeks that an AWS customer has exposed a major database to potential cyber thieves. In the other two cases:
- A WWE database leak on AWS exposed 3 million customer records
- A database of 200 million Republican voters was left exposed on AWS earlier this year
- Updated July 17, 2017: Dow Jones suffers a similar AWS exposure
User Error — Not Amazon — Is to Blame
Security experts point the figure of blame at users and organizations that lack training and well defined business processes for safeguarding cloud-based assets.
“It has become abundantly clear that many users still do not fully understand how to configure S3 buckets to prevent data exposure,” said Zohar Alon, co-founder and CEO, Dome9, which specializes in public cloud security. “Storing sensitive data in the cloud without putting in place appropriate systems and practices to manage the security posture is irresponsible and dangerous. A simple misconfiguration or lapse in process can potentially expose private data to the world and put an organization’s reputation at risk.”
Added Rich Campagna, CEO of Bitglass, “This massive data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorized access, and encrypt sensitive data at rest. Companies like Verizon must put policies in place that require third-party vendors like Nice to adequately protect any customer data that touches the cloud.”