The revelation last week of the discovery of unprotected scanned identification documents from a number of countries — including Canadian passports — on an open Amazon S3 server apparently created by a company FedEx bought several years ago is just another example of how corporate data security policies are either not tough enough or are being flaunted by employees.
It isn’t clear if anyone else discovered the data. FedEx has said there’s “no indication” data has been “misappropriated.” However, in an interview with ITWorldCanada.com. Alex Heid, chief security officer at SecurityScorecard noted, “If this researcher found it, they probably weren’t the first.”
The bucket was found by Kromtech, which makes Mac security tools, included more than 119,000 scanned passports, drivers licences and U.S. post office declaration forms that included personal information. Kromtech security experts concluded that data apparently belonged to Bongo International LLC, which specialized in helping North American retailers and brands sell online to consumers in other countries. Bongo was bought by FedEx in 2014, and later became FedEx Cross Border International. However, the division was closed just under a year ago.
Data on the bucket apparently covered the years between 2009 and 2012.
Kromtech tried and failed to get the attention of FedEx on this. It had to use a U.S. tech reporter to pass on the message and finally get FedEx to take the bucket offline. According to Kromtech, FedEx told it that “after a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure.” The data, it added, was part of a service that was discontinued after its acquisition of Bongo.
This is just another example — in a long list — of blunders by people using Amazon services for storing or processing data and failing to take elementary security precautions.
In a cloud security trends report issued today (registration required), security vendor RedLock Inc. said its researchers recently discovered an unprotected Kubernetes console that belongs to electric vehicle makerTesla. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment. An examination of the environment revealed that it contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as vehicle telemetry.
RedLock estimates 58 per cent of organizations using cloud storage services such as Amazon S3 and Microsoft Azure Blob storage inadvertently exposed one or more such services to the public. It also estimates 73 per cent of organizations are allowing the root user account to be used to perform various activities. “This goes against security best practices and
Amazon has strongly warned against this; administrators are advised to lock away root user access keys and create individual IAM (identity and access management} users instead.”
In general, RedLock urges administrators to at least forbid the use of root accounts for day-to-day operations, enforce multi-factor authentication on all privileged user accounts. In some cases it may be necessary to automatically force periodic rotation of access keys, particularly to sensitive accounts.
Other lessons: As Kromtech notes, this case highlights just how extremely important it is for the CIO to demand an audit of digital assets when a company acquires another and to ensure that customer data is secured and properly stored before, during, and after the sale. Security Scorecard’s Heid also notes that use of a cloud security access broker (CASB), which monitors employee use of cloud services, would help.
Amazon isn’t the only cloud service that employees are “messing up with,” says Heid. Staff will always look for a “quick and easy way” to solve problems, he pointed out. Some, like Amazon, have user security guidelines, he added. They may be followed by one administrator, but a successor or another staffer may forget or ignore the settings.