Meeting and Hotel Booking Provider’s Data Found in Public Amazon S3 Bucket

Personal and business data belonging to Boston area meeting and hotel booking provider Groupize was discovered in a publicly accessible Amazon Web Services S3 bucket, which has since been locked down.

Leaks of personal and business information from unsecured Amazon S3 buckets are piling up.

The latest belongs to Groupize, a Boston-area business that sells tools to manage small group meetings as well as a booking engine that handles hotel room-block reservations. Researchers at Kromtech Security, parent company of Mackeeper and other Mac-related security tools, found a publicly accessible bucket containing business and personal data, including contracts and agreements between hotels, customers and Groupize, Kromtech said.

The data included some credit card payment authorization forms that contained full payment card information including expiration data and CVV code. The researchers said the database stored in S3 contained numerous folders, below; one called “documents” held close to 3,000 scanned contracts and agreements, while another called all_leads had more than 3,100 spreadsheets containing critical Groupize business data including earnings. There were 37 other folders in the bucket containing tens of thousands of files, most of them storing much more benign data.

Kromtech Security’s Bob Diachenko, chief security communications officer said his company privately disclosed their discovery of the exposed data to Groupize on Aug. 9. A day later, Diachenko said that he reached their corporate office by phone and the person confirmed the company’s use of Amazon, but told Diachenko that “nothing sensitive was there.” Diachenko said the Groupize employee would not transfer the call to IT, nor to anyone in management. The data, however, was secured on Aug. 15, Diachenko told Threatpost.

“We are grateful [Kromtech] shed some light on a potential vulnerability on one of our S3 buckets on Amazon.  We have taken immediate action to remedy the situation,” said Charles de Gaspe Beaubien, Groupize CEO. “Our customers have been made aware of this vulnerability and the steps we’ve taken to further secure our systems.”

This harkens back to a number of similar S3 leaks, the most recent was disclosed last week when the entire Chicago voter roll was discovered in a publicly accessible AWS bucket. AWS storage is set to private by default, and apparently some organizations are choosing to change that configuration to public, and some are paying the price.

“By default, all S3 AWS infrastructure is set to private. However, there is always ‘a somebody’ doing something to ease, or grant the access to. the storage for a reason, and manually sets access rights to ‘public’,” Diachenko said. “The key factor to addressing the security issue here is combination of both automatic protection systems (like Amazon Macie) and never ending internal educational initiatives aimed at raising awareness among different organizational personnel layers.”

Amazon Macie is a new security service recently unveiled that is marketed as a machine-learning tool that discovers, classifies and protects sensitive business and personal data stored in AWS.

Kromtech said it linked the data leak to Groupize by the name of the bucket, called prm-production, a reference to Groupize’s Pipeline Response Manager, a tool used to manage its hotel booking business.

Kromtech has found a number of these AWS buckets exposed to the public, including in July personal data belonging to three million WWE wrestling fans and in February, data belonging to customers of a California-based auto loan company.

Last week’s Chicago voter leak exposed the personal information of 1.8 million active and inactive registered voters, along with security information belonging to a voting machine vendor called ES&S.

“One common thread among these leaks is human error,” said Chris Vickery, UpGuard director of cyber risk research. Vickery said that these mistakes are made in the name of convenience rather than the admin having malicious intent.

“Sysadmins have so much work to do and need to get so many complex things done, that any time they can cut a corner, it seems like they are taking that cut,” Vickery said. “And they’re hoping that doesn’t equal something bad like this being discovered.”

Suggested articles