Is it a case of incompetence, laziness or poor cloud services design? Whatever the case, someone in the Verizon Communications business ecosystem has once again left confidential information exposed on Amazon Web Services (AWS), according to Kromtech Security Research Center.
According to the report:
"On September 20th, Kromtech Security researchers discovered publicly accessible Amazon AWS S3 bucket containing around 100MB of data attributing to internal Verizon Wireless system called DVS (Distributed Vision Services)...
Although no customers data are involved in this data leak, we were able to see files and data named "VZ Confidential" and "Verizon Confidential", some of which contained usernames, passwords and these credentials could have easily allowed access to other parts of Verizon's internal network and infrastructure."
Ouch. The AWS bucket belonged to a Verizon Wireless engineer and it did not belong to nor was it managed by Verizon itself, according to the report. Kromtech alerted the engineer about the exposed data, and the situation was immediately rectified.
Amazon AWS Cloud Data & Security Leaks: Quite Common
A growing number of Amazon-related cloud data leaks have been reported in recent months. In each case, the issue typically involved users who poorly configured their AWS accounts, rather than an Amazon cloud design bug.
AWS cloud leak victims in 2017 have included:
- 14 million Verizon records were left exposed in an earlier leak unrelated to this one
- Sensitive personal files of thousands of U.S. military and intelligence personnel
- 4 million Time Warner Cable customer records were exposed
- WWE database leak with 3 million customer records
- A Republican database with information on 200 million voters
- Dow Jones suffered a similar AWS exposure
Holding AWS Account Owners Accountable?
Security experts are calling public cloud users to more effectively monitor and manage their account settings.
“Given the high number of incidents involving exposed S3 buckets that we have seen in the past few months, it is baffling that every organization is not carefully looking into the configurations and exposure levels of their storage in the cloud." said Zohar Alon, co-founder and CEO, Dome9. "Protecting data in the cloud from accidental exposure and theft is a business priority.
Moreover, companies need to be held highly accountable for their lack of security on the public cloud, Alon asserted. So far, that certainly hasn't been the case.