Three publicly-accessible cloud storage buckets from data management company Attunity leaked more than a terabyte of data from its top Fortune 100 customers – including internal business documents, system passwords, sensitive employee information.
Israel-based Attunity, which was acquired by Qlik in May and now operates as a division under Qlik, replicates and migrates datasets so that they can be easily analyzed. The company is used by more than two thousand enterprise customers and half of the Fortune 100 companies: Impacted customers whose files were discovered in the exposed datasets include Netflix, TD Bank and Ford.
Researchers with UpGuard discovered the publicly accessibly Amazon S3 buckets leaking customers’ internal business documents, backups of employees’ emails and OneDrive accounts, and other sensitive data including email messages, system passwords and more. The storage buckets have since been secured.
“The risks to Attunity posed by exposed credentials, information, and communications, then are risks to the security of the data they process,” said researchers in their Thursday disclosure of the leaked data. “While many of the files are years old, the bucket was still in use at the time detected and reported by UpGuard, with the most recent files having been modified within days of discovery.”
Researchers first discovered the three publicly-accessible Amazon S3 buckets (“attunity-it,” “attunity-patch” and “attunity-support”) on May 13. Attunity, which at that time had been acquired by Qlik, was notified on May 16 – the next day, the budgets were removed.
The total size of the three leaking buckets is uncertain, but the researcher downloaded a sample of about a terabyte in size, including 750 gigabytes of compressed email backups. For reference, the giant Oklahoma government file leak in January that exposed millions of records was three terabytes; the data of almost 200 million voters left exposed by a Republican Party-affiliated data broker in 2017 was 1.1 terabytes.
“Due to the nature of Attunity’s business and the huge volume of emails archives present it is hard to say how many customers are affected to one degree or another,” an UpGuard spokesperson told Threatpost. “Client list spreadsheets present show that Attunity has thousands of client companies. Looking into the exact potential degree of affectedness for each is out of the scope of our research.”
Threatpost reached out to Ford, TD Bank and Netflix representatives but has not yet heard back.
A Qlik spokesperson told Threatpost: “We are still in the process of conducting a thorough investigation into the issue and have engaged outside security firms to conduct independent security evaluations. We take this matter seriously and are committed to concluding this investigation as soon as possible. At this point in the investigation, indications are that the only external access to data was by the security firm that contacted us.”
The Files
Researchers said that they found the bulk of sensitive data in a file “attunity-it,” containing information that dated back to September 2014. The other two files had been uploaded just days before they were discovered.
An UpGuard spokesperson told Threatpost that they were not able to confirm whether anyone else was able to access the information.
In the data sets, researchers found client lists for customers, system credentials (such as private keys), as well as system information (including SAP system details) for customers and Attunity’s own systems.
Beyond that, a slew of personal information was disclosed for customers’ employees – including human resources information for customers like payroll or identity verification data.
Attunity’s own employee information was exposed as well: Researchers found spreadsheets exposed with employee data, including employee names, payroll, and more. They also found employee ID numbers for the Attunity employees followed the same numbering scheme of social security numbers, leading them to think they might be exposed SSNs.
“The US government site does not return the name of the person with the SSN for obvious security reasons, and so we cannot absolutely verify that these ID numbers are also the employee’s social security number,” they said.
Data Exposure – A Continual Issue
Accidental data exposure continues to be an issue plaguing third-party companies. According to the 2019 Verizon Data Breach Investigations Report, insider-initiated incidents account for 34 percent of data breaches, with many of these being accidental exposures as opposed to malicious.
In May, IT services provider HCL Technologies inadvertently exposed passwords, sensitive project reports and other private data of thousands of customers and internal employees on various public HCL subdomains. In April, hundreds of millions of Facebook records were found in two separate publicly-exposed app datasets.
“The chain of events leading to the exposure of that data provides a useful lesson in the ecology of a data leak scenario,” researchers warned. “Users’ workstations may be secured against attackers breaking in, but other IT processes can copy and expose the same data valued by attackers. When such backups are exposed, they can contain a variety of data from system credentials to personally identifiable information. Data is not safe if misconfigurations and process errors expose that data to the public internet.”