Dow Jones, parent of The Wall Street Journal, is the latest company to misconfigure Amazon Web Services (AWS) and expose mission critical data on the public cloud. The issue apparently involved a contractor.
Independent security researcher Bob Diachenko discovered the massive Dow Jones Watchlist dataset, sitting on a public Elasticsearch cluster. It was 4.4GB in size and available for public access to anyone who knew where to look, the researcher says.
The database, he notes, contained 2.4 million records detailing such extremely sensitive information as:
- global coverage of senior Politically Expose Persons, their relatives, close associates, and associated companies ;
- national and international government sanction lists and categories;
- persons officially linked to, or convicted of, high-profile crimes; and
- profile notes from Dow Jones including citing federal agencies and law enforcement sources.
As one PR market watcher put it: “The indexed, tagged and searchable list includes current and former politicians, citizens with alleged criminal histories and possible terrorist links, and companies under sanctions or convicted of high-profile financial crimes. The exposed records include names, addresses, locations, dates of birth, genders, whether they are deceased or not, and in some cases, photographs.”
AWS Cloud Data Leaks: User Error Deja Vu
It’s a familiar, painful story: A big service provider and/or one of its consultants puts data on AWS, but fails to properly secure the information. Generally speaking, all of the recent AWS cloud data leaks involved user error rather than any security issues at the cloud company.
Example data leaks involving AWS include:
- Alteryx misconfigured AWS cloud storage, exposing personal information for 123 million U.S. households, UpGuard asserted.
- Accenture Cloud data being left in the open on AWS.
- Verizon suffered two AWS-related leaks, including a Verizon Wireless leak and a second exposure in which 14 million Verizon records were readily accessible.
- Sensitive personal files of thousands of U.S. military and intelligence personnel
- 4 million Time Warner Cable customer records were exposed
- WWE database leak with 3 million customer records
- A Republican database with information on 200 million voters
- Dow Jones suffered a similar AWS exposure
Amazon Web Services (AWS) Security Tools
Although the data leaks above involved user error, Amazon has been taking steps to further simplify and fortify security across its cloud services.