On-site security firm Securitas left an Amazon Web Services (AWS) Simple Storage Service (S3) bucket open, according to antivirus review website SafetyDetectives. The result: Securitas exposed nearly 1.5 million files, equating to about 3TB of data.
Securitas corrected the misconfiguration in November 2021, roughly five days after SafetyDirectives reached out to the firm about the issue. The bucket was live and being updated when it was discovered, SafetyDetectives stated. Also, the misconfiguration is not Amazon's responsibility.
MSSP Alert has reached out to Securitas for additional comment, and we will update this article if/when we hear back.
MSSPs and Cloud Security Posture Management (CSPM) Tools
For MSSPs, the disclosure is a timely reminder that customers need Cloud Security Posture Management (CSPM) tools to make sure AWS, Microsoft Azure and Google Cloud Platform workloads are properly configured and protected from wandering eyes.
Demand for CSPM solutions is surging. Among the reasons: 90 percent of organizations are susceptible to security breaches due to cloud misconfigurations, according to the “2021 Cloud Security Report: Cloud Configuration Risks Exposed” from application lifecycle security company Aqua Security.
With those risks in mind, annual CSPM spending will reach $9 billion by 2026, up from $4 billion in 2020, according to Markets and Markets. That’s a 14.4 percent compound annual growth rate.
On a related note, 41 percent of our Top 250 MSSP survey participants already offer CSPM to their end customers, MSSP Alert research found in September 2021.
Securitas Data Exposure: The Details
Securitas' exposed data relates to airport employees from different sites across Colombia and Peru, SafetyDetectives noted. It includes:
- Employee personally identifiable information (PII) and sensitive company data for at least four airports in Colombia and Peru
- Photos of ID cards and other unmarked photos of Securitas employees and airport employees
- Exchangeable Image File Format (EXIF) data that exposed specific information relating to photos
In addition, there is a "high probability" that every Colombian airport that uses Securitas is affected by the misconfigured Amazon S3 bucket, SafetyDetectives said. Securitas also could face sanctions for various data protection violations.