Breach, Content

Amazon AWS Cloud Data Leak: Dow Jones Suffers Massive Exposure

Share

Dow Jones, parent of The Wall Street Journal, is the latest company to misconfigure Amazon Web Services (AWS) and expose mission critical data on the public cloud. The issue apparently involved a contractor.

Independent security researcher Bob Diachenko discovered the massive Dow Jones Watchlist dataset, sitting on a public Elasticsearch cluster. It was 4.4GB in size and available for public access to anyone who knew where to look, the researcher says.

The database, he notes, contained 2.4 million records detailing such extremely sensitive information as:

  • global coverage of senior Politically Expose Persons, their relatives, close associates, and associated companies ;
  • national and international government sanction lists and categories;
  • persons officially linked to, or convicted of, high-profile crimes; and
  • profile notes from Dow Jones including citing federal agencies and law enforcement sources.

As one PR market watcher put it: "The indexed, tagged and searchable list includes current and former politicians, citizens with alleged criminal histories and possible terrorist links, and companies under sanctions or convicted of high-profile financial crimes. The exposed records include names, addresses, locations, dates of birth, genders, whether they are deceased or not, and in some cases, photographs."

MSSP Alert has reached out to Dow Jones for comment.

AWS Cloud Data Leaks: User Error Deja Vu

It's a familiar, painful story: A big service provider and/or one of its consultants puts data on AWS, but fails to properly secure the information. Generally speaking, all of the recent AWS cloud data leaks involved user error rather than any security issues at the cloud company.

Example data leaks involving AWS include:

Amazon Web Services (AWS) Security Tools

Although the data leaks above involved user error, Amazon has been taking steps to further simplify and fortify security across its cloud services.

The effort includes AWS Security Hub and AWS Secrets Manager.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.