Content, Content, Breach

Walmart Partner Exposes Personal Data of 1.3 Million Customers on AWS Cloud

Security researchers have discovered a publicly accessible Amazon Simple Storage Service (S3) bucket that contained the personal data of more than 1.3 million Walmart customers in the United States and Canada, according to Kromtech Security Center.

The Amazon S3 bucket included an MSSQL database backup that belonged to MBM Company, a Walmart jewelry partner that operates primarily under the name Limogés Jewelry, Kromtech Chief Communications Officer Bob Diachenko said in a prepared statement.

A Closer Look at the Walmart Partner Data Leak

MBM left an Amazon S3 bucket open to the public, stored an unprotected database file that contained sensitive customer information online and stored passwords in plain text instead of encrypting them, Diachenko indicated.

In addition, the following Walmart customer information was exposed due to the Amazon S3 bucket data leak:

  • Addresses.
  • E-mail addresses.
  • IP addresses.
  • Names.
  • Phone numbers.
  • Plain text passwords.
  • Zip codes.

The Amazon S3 bucket's MSSQL database backup also contained internal MBM mailing lists, encrypted credit card details, payment details, promo codes and item orders, Diachenko stated. Database records were available with dates ranging from 2000 to early 2018, Diachenko noted, and the records may have been public since January 13, 2018.

Public Cloud Data Leaks Becoming Problematic for Many Organizations

MBM is one of many companies that recently leaked sensitive data via a publicly accessible Amazon public cloud service.

Other notable Amazon data leaks included:

  • FedExAn unsecured FedEx Amazon S3 cloud server was discovered that contained over 119,000 scanned documents related to U.S. and international citizens.
  • Accenture Cloud: Accenture Cloud intellectual property (IP) was exposed via an Amazon Web Services (AWS) cloud leak.
  • Time Warner CableMore than 4 million Time Warner Cable customer records were exposed via an AWS cloud leak.
  • WWEA World Wrestling Entertainment (WWE) database leak exposed the personal information of more than 3 million users.
  • Dow JonesAbout 2.2 million Dow Jones subscribers were affected by a data leak that occurred due to a misconfigured AWS cloud account.

Amazon S3 offers object storage that enables organizations to store and retrieve data from websites, mobile applications, corporate applications and Internet of Things (IoT) sensors or devices. It is the most supported storage platform available, Amazon stated, and has the largest ecosystem of independent software vendor (ISV) solutions and systems integrator partners.

How Can an Organization Prevent a Public Cloud Data Leak?

Dome9 CEO Zohar Alon
Domeo9 CEO Zohar Alon

Storing customer passwords and other personally identifiable information (PII) in plain text is "not acceptable," Manoj Asnani, VP of Product Management and Design at cyber risk analytics firm Balbix, told MSSP Alert. However, organizations that take a proactive approach to cybersecurity may be better equipped than others to encrypt sensitive data and identify and address security weak points.

Furthermore, organizations must allocate time and resources to ensure their public clouds are configured properly, said Zohar Alon, CEO of cloud infrastructure security company Dome9. This enables organizations – regardless of industry – to minimize the risk of corporate data leaks.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.