Amazon S3 Bucket Misconfiguration Leads to 1TB Data Breach

Researchers for cybersecurity have worked feverishly to help seal a breach in misconfigured Amazon S3 buckets that have exposed millions of US business documents, equalling over 1TB of amassed data.

Scouring the Silos

Data breach watchdog firm WizCase conducted an operation that saw over 80 misconfigured cloud storage data silos exposing their data which, according to redacted versions of the files, include real estate tax information for businesses, property photographs and building and city plans from many municipalities around the state of Massachusetts.

The data exposed was seen as a high priority breach that would potentially lead to massive fraud and theft from citizens located in the state. The data contained within the local government database was highly sensitive, including business licences to phone numbers and tax records.

Identified Via Developer

With these items being highly sought by bad actors for exploitative means, the measures were seen as a priority to plug the leak through thorough investigation.

WizCase researchers quickly noticed that the misconfigured buckets name was being used by the same software, which led them towards Massachusetts based software developer PeopleGIS. As well as business licences and other information mentioned above, the silos held personally identifiable information of residential records such as tax deeds, tax information and government position applicant resumes.

Redacted But Not Protected

Whilst a majority of the vulnerable documents had been redacted, they were found to be done so by digital transparent tools such as a marker. By a bad actor simply changing the contrast level of the document by using even a basic photo editing software, the document would be fully transparent to bad actors who could then have full access to the information. As the information contained within the buckets are a gold mine for many threat actors in being able to sell the information on, the lapse in fully protecting redacted information against a basic photo editing software raises a lot of concern for how information is fully protected.

In the case of WizCase’s work over the buckets, the watchdog firm was able to access 86 S3 buckets without the use of a password or any form of encryption. This alarming amount caused WizCase to contact PeopleGIS about the misconfiguration and they have since been secured.

With growing cases of data breach news and actions to secure data being more reactive than proactive, the call for more effective measures from businesses and developers to fully adapt to more protective measures when storing data continues to edge forward.

For more information on big data analytics and any upcoming data analytics conference, check out the events from Whitehall Media.