A non-profit organization in Los Angeles County misconfigured an Amazon Web Services (AWS) S3 cloud bucket -- leaving 3 million records and highly sensitive health information exposed, according to the UpGuard Cyber Risk Team.
The exposed information, UpGuard says, involved such health and human services data as:
"more than 3 million rows of call logs 200,000 rows of detailed notes, including graphic descriptions of elder abuse, child abuse, and suicidal distress, raising serious, large-scale privacy concerns. In many of these cases, full names, phone numbers, addresses, and even 33,000 instances of full Social Security numbers are revealed among the data."
The UpGuard Cyber Risk team discovered the exposed AWS bucket on March 14, and then reached out to various contacts at the LA County 211 service. The security reacher finally connected with the appropriate contact on April 24. The misconfigured bucket was corrected within 24 hours of that communication, UpGuard says.
MSSP Alert has reached out to the LA County 211 service, but has not received a statement from the service about the alleged issue.
Executives from across the IT industry weighed in with perspectives. Mike Schuricht, VP of product management at Bitglass, believes misconfigured cloud accounts are emerging as "some of the most common and widely targeted attack vectors across all industries."
In the struggle to find the right talent and IT management tools, Schuricht adds, many firms are "susceptible to misconfigurations as they struggle to implement security best practices like continuous monitoring, data loss prevention, behavior analytics, and the like. As it is often not possible for these organizations to scale their security teams, it is absolutely critical that they implement flexible, cost-effective solutions.”
Added Zohar Alon, co-founder and CEO of Dome9: “Considering the amount of focus that S3 bucket misconfigurations have gotten in recent months, this exposure of sensitive information is simply unjustifiable."
Amazon has certainly been working to help customers improve their security postures. For instance, the cloud giant in 2017 launched Amazon Macie for data loss prevention, Alon notes.
"There is also a rich ecosystem of security solution providers focused on helping organizations prevent major exposures such as this," he adds. But ultimately it all comes down to accountability. "At the end of the day, organizations are responsible for ensuring that they implement a continuous compliance and active cloud protection in order to protect personal information and prevent misconfigurations like this from slipping through the cracks."
AWS Cloud Data Leaks, Exposures and User Error
This is the latest in a growing list of AWS cloud data exposures that involved user error rather than any type of Amazon hack, breach or vulnerability on the part of the cloud services provider. Similar AWS cloud bucket exposures have involved:
- Accenture Cloud: Accenture Cloud mission critical intellectual property (IP) was exposed via an Amazon Web Services (AWS) cloud leak.
- Roughly 119,000 FedEx customer identification records.
- Time Warner Cable: More than 4 million Time Warner Cable customer records were exposed via an AWS cloud leak.
- WWE: A World Wrestling Entertainment (WWE) database leak exposed the personal information of more than 3 million users.
- Dow Jones: About 2.2 million Dow Jones subscribers were affected by a data leak that occurred due to a misconfigured AWS cloud account.
Amazon has taken multiple steps to simplify AWS settings and configuration options for end-customers, but UpGuard and other security researchers continue to occasionally find exposed AWS buckets.