Organizations continue to leak data through publicly accessible Amazon S3 buckets, pointing a harsh finger at continued lax attitudes toward the custodianship of sensitive data.
Verizon is the latest business affected by this epidemic, leaking in this case files marked confidential from an internal middleware system called DVS.
Researchers at Kromtech Security privately reported the improperly secured S3 instance on Thursday, and shortly thereafter, the bucket was taken down.
“Upon analyzing the content of the repository, we identified the alleged owner of the bucket and sent responsible notification email on September 21st. Shortly after that, online archive has been [taken] down and it has been later confirmed that the bucket was self-owned by [a] Verizon Wireless engineer and it did not belong [to] or managed by Verizon,” Kromtech said in a blogpost published today.
The researchers said there was no customer information in the exposed archive, but the 100MB of data included files marked “VZ Confidential” and “Verizon Confidential.” Those files included usernames and passwords that could have allowed attackers to access Verizon’s internal network. DVS, Kromtech said, is middleware for Verizon Wireless’ front-end application and is used to access customer billing data.
Kromtech reported that it found another folder with 129 Outlook messages that included production logs, server details and credentials.
“As more and more data leaks occur it makes consumers, and average individuals more vulnerable online,” said Bob Diachenko, chief security communications officer at Kromtech. “We believe that companies have an obligation to not only take the proper security measures but also protect the data their employee collect and store.”
A request for comment from Verizon was not returned in time for publication.
News of the Verizon leak comes four days after a similar exposure of Viacom data. Viacom, which owns Paramount Pictures along with a number of other cable channels, exposed internal credentials and critical business data. Researchers at UpGuard Inc. found the exposed S3 bucket in late August. It contained 72 .tgz files, an extension used by compression tools, that included credentials that allowed access to Viacom servers, storage and databases hosted on the Amazon platform.
“This data contained in seventy-two .tgz files in the bucket appears to be an incremental backup scheme. When decompressed, each .tgz file is revealed to contain a number of folders, such as “manifests,” “configs,” “keys,” and “modules,” as well as a number of files indicating the use of Puppet, a a server provisioning and automation suite,” Upguard said in its report this week.
The leaked data also included scripts indicating Viacom’s use of GPG encryption on its backups and the decryption keys unlocking that data.
“While the exposure has since been closed, following UpGuard’s notification to Viacom, this incident highlights the potentially enormous cost such data leaks can evince upon even the largest and most sophisticated organizations,” Upguard said. “Exposed in this incident were nothing less than the master controls needed to harness the power of a digital media empire and turn it towards nefarious aims.”