Breach, Content, Content

AWS Cloud Data Leak: UK Consulting Firms’ Sensitive Information Exposed

Several UK consulting firms recently left an Amazon Web Services (AWS) Simple Storage Service (S3) bucket open, according to vpnMentor. Sensitive information from thousands of British professionals was exposed due to the open S3 bucket, which was closed Dec. 19, 2019.

Sensitive information exposed by the UK consulting firms' data leak included:

  • Background checks.
  • Criminal records.
  • Emails and private messages.
  • Job applications.
  • Tax documents.

The data leak was discovered Dec. 9, 2019 and traced back to CHS Consulting, a London-based consulting firm. It contained files belonging to various UK consulting firms, including:

  • Dynamic Partners (closed in 2019).
  • Eximius Consultants Limited.
  • Garraway Consultants (closed in 2014).
  • IQ Consulting.
  • Partners Associates Ltd (closed in 2018).
  • Winchester Ltd (closed in 2018).

Most of the exposed information dated back to 2014-2015, vpnMentor reported. However, some exposed files dated back to 2011.

Global Organizations Suffer AWS Data Leaks

Several global organizations recently experienced AWS data leaks, including:

  • Capital One: A misconfigured AWS web application firewall was discovered last year that exposed data from 100 million individuals in the United States and approximately 6 million individuals in Canada.
  • GoDaddyAn S3 bucket error exposed GoDaddy configuration information from the company's servers in 2018.
  • FedExFedEx customer identification records were discovered on an unsecured S3 cloud server in 2018.

AWS Access Analyzer: Mitigating Configuration Risks

To mitigate such risks, AWS in December 2019 month announced Access Analyzer to help organizations minimize the risk of S3 bucket data leaks.

Access Analyzer notifies an organization if it has an S3 bucket that is configured to allow access to anyone on the Internet or is shared with other AWS accounts, AWS stated. It also enables an organization to evaluate its S3 bucket-level permission settings and ensure that only authorized users can access an S3 bucket.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.