Cloud storage misconfigurations continue to plague the data-privacy space, as evidenced by the new discovery of employment and health information for millions exposed on the web, wide open to any internet passerby.
Two misconfigured cloud databases inadvertently leaked personally identifiable information (PII) in the care of two companies: The Ladders headhunting and job recruitment site, and the SkyMed medical evacuation service. In the latter case, ransomware was found hiding in the mix.
The Ladders property is an Amazon Web Services-hosted Elasticsearch cloud database containing employment information for 13.7 million users. Security researcher and GDI Foundation member Sanyam Jain came across the data, which included names, email addresses, physical addresses and phone numbers. It also included typical resume fare, such as employment history, and in some cases, detailed job descriptions; it also listed security clearances.
The database also held the less-sensitive details of 379,000 job recruiters.
After being notified of the incident, Marc Cenedella, Ladders CEO, confirmed that the company had locked down the bucket: “AWS confirms that our AWS Managed Elastic Search is secure, and is only accessible by Ladders employees at indicated IP addresses,” he said in a media statement to TechCrunch. No word on how long the information had been exposed or whether it was accessed.
Meanwhile, another unsecured Elasticsearch database belonging to Florida-based SkyMed was found by Jeremiah Fowler, senior researcher at Security Discovery. It contained 136,995 records in plaintext, including names, dates of birth, phone numbers, physical addresses, email addresses and medical condition information.
SkyMed offers what it calls “premium medical emergency evacuation memberships” for people traveling in the U.S., Canada, Mexico, the Caribbean, Bermuda or the Bahamas – in other words, they’ll send an ambulance or a helicopter for you if you have a medical emergency.
Thus, “inside the database was each member’s file that included personally identifiable information and some accounts had medical information or notes about the user,” Fowler said in a posting this week on the exposure. “This is an Elastic database set to ‘open’ and visible in any browser (publicly accessible), and anyone could edit, download or even delete data without administrative credentials.”
It also came with a kicker: “There was evidence of ransomware inside the database, and this could potentially be evidence of a far bigger exposure,” Fowler said.
Even with that possibility lurking, the company didn’t respond when he reached out, Fowler said – although the database was secured after he sent his messages.
“It is unclear if this incident was reported to members, or the authorities as required by HIPPA and Florida breach and notification laws,” he said. “Despite several attempts and a request for comment regarding this data incident, SkyMed has not responded or commented.”
Threatpost also received no response from the company by press time, and has reached out to Fowler for more details on the ransomware revelation.
The unfortunate reality is that despite high-profile incidents seemingly popping up every day, cloud configuration issues will likely continue to persist: Deborah Kish, executive vice president of research and marketing at Fasoo, told Threatpost that many businesses still don’t understand the shared responsibility model – where cloud providers like AWS are responsible for securing the cloud infrastructure itself, but data owners are responsible for protecting the confidentiality, integrity and availability of the information they choose to host in the cloud.
“[Shared responsibility] is not well understood yet, and it’s still being played out,” she said in an interview. “But the bottom line is that it’s their data, whether it falls under privacy regulations or not, and businesses are responsible for protecting it in the cloud environment.”
She added that companies should also approach cloud storage security from the standpoint that misconfigurations are common, if not likely.
“Nobody’s perfect and everyone makes mistakes, so accidental insider threats are something that’s important to get a grip on,” she said. “Malicious actors may want to take intellectual property from a company, sure, but the bigger part of data exposure is often accidental.”