Top 5 Cloud Security related Data Breaches!

161

The Year 2017 has so far witnessed some data slip-ups from the worlds top cloud storage providers and the details are as follows-

Accenture- World’s first Cyber Resilience startup UpGuard discovered in its Cyber Risk survey that Accenture left at least 4 AWS S3 storage buckets unsecured. And as a result of this flaw, the data on these storage media was available for download. The data exposed in this security goof-up were authentication credentials, secret API data, digital certificates, decryption keys, customer data, and other meta info which could be easily used by cyber crooks to mint money. It was revealed in the security analysis that more than 137GB of data was available for public access and some of the data might have been siphoned by hackers to post on the dark web.

Verizon- Nice Systems, which is a 3rd party vendor working for Verizon, committed a configuration blunder on an AWS S3 bucket which exposed names, addresses, account details, and pin numbers of millions of US-based Verizon customers. ‘Nice’ agreed that the mistake was committed by one of its engineers who reportedly created a cloud-based file repository for storing customers call data which is used by Verizon for backend office and call center operations. The info included customer phone numbers, their names, and PIN which was alarming as this info can be used by attackers to gain false access to the accounts and get cloned SIMS. This incident also highlighted the fact that how alarming is the storage of sensitive info on 3rd party vendor.

Booz Allen Hamilton- In this year, technology consulting firm Booz Allen hired UpGuard to carry out security assessment on both its internal and external computer systems. To our surprise, the assessment discovered that 60,000 files were on a public access on AWS S3 bucket owned by an intelligence and defense contract of Booz Allen. The cache is said to have exposed 28GB of data and this includes credentials of senior engineers, passwords of US Government systems, and over half a dozen of files containing unencrypted passwords of government contractors holding top Secret Facility Clearance. Following the incident, US Senator Claire McCaskill who holds a top rank in Senate Homeland Security and Government Affairs Committee issued a public statement saying the data breach was true and Booz Allen will be held seriously responsible for the leak of sensitive info.

Republican National Committee data breach- A 3rd party investigation commissioned by Deep Root Analytics confirmed that personal details of more than 198 million American voters were exposed by a security flaw on AWS S3 bucket owned by Republican National Committee (RNC). The exposed data includes birth dates, phone numbers; self-reported racial background, home & mailing address, and party affiliation. This blunder was committed by an engineer working for Deep Root Analytics which was providing data storage services for RNC. The security report stated that the engineer working for Deep Root Analytics configured the storage platform as public instead of private and as a result of this technical mistake all the content available on the platform was available for public access.

Election Systems & Software (ES&S)- Virtually every registered voter information from Chicago was available for public access when the engineer working for ES&S left the AWS S3 bucket for public access. The data was in downloadable format and is said to have compromised personal info of more than 1.8 million Chicago voters so far. The data includes names, addresses, phone numbers, driver’s license, and social security numbers. Moreover, the exposed database is reported to have created at the time of US 2016 general elections by the Chicago Board of Election Commissioners.