Content, Americas, Governance, Risk and Compliance, Breach, Channel markets, Enterprise

Verizon Suffers Second Data Leak on Amazon AWS Cloud

Is it a case of incompetence, laziness or poor cloud services design? Whatever the case, someone in the Verizon Communications business ecosystem has once again left confidential information exposed on Amazon Web Services (AWS), according to Kromtech Security Research Center.

According to the report:

"On September 20th, Kromtech Security researchers discovered publicly accessible Amazon AWS S3 bucket containing around 100MB of data attributing to internal Verizon Wireless system called DVS (Distributed Vision Services)...

Although no customers data are involved in this data leak, we were able to see files and data named "VZ Confidential" and "Verizon Confidential", some of which contained usernames, passwords and these credentials could have easily allowed access to other parts of Verizon's internal network and infrastructure."

Ouch. The AWS bucket belonged to a Verizon Wireless engineer and it did not belong to nor was it managed by Verizon itself, according to the report. Kromtech alerted the engineer about the exposed data, and the situation was immediately rectified.

Amazon AWS Cloud Data & Security Leaks: Quite Common

A growing number of Amazon-related cloud data leaks have been reported in recent months. In each case, the issue typically involved users who poorly configured their AWS accounts, rather than an Amazon cloud design bug.

AWS cloud leak victims in 2017 have included:

Holding AWS Account Owners Accountable?

Dome9 CEO Zohar Alon
Zohar Alon

Security experts are calling public cloud users to more effectively monitor and manage their account settings.

“Given the high number of incidents involving exposed S3 buckets that we have seen in the past few months, it is baffling that every organization is not carefully looking into the configurations and exposure levels of their storage in the cloud." said Zohar Alon, co-founder and CEO, Dome9. "Protecting data in the cloud from accidental exposure and theft is a business priority.

Moreover, companies need to be held highly accountable for their lack of security on the public cloud, Alon asserted. So far, that certainly hasn't been the case.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.