Thousands of files stored on an Amazon Web Services (AWS) S3 bucket -- HR documents belonging to a host of UK consultancy firms -- were found open to anyone with a browser, said a vpnMentor report.
Most of the files -- detailed HR and financial documents, each laced with several personally identifiable information -- date back to the 2014/15 financial year, some even going back to 2011.
vpnMentor researchers led by Noam Rotem and Ran Locar discovered the breach as part of their web mapping project.
"Basically anyone with a regular browser could access it. It wasn't encrypted, wasn't even protected with a password and admin," Lisa Taylor, researcher at vpnMentor, told SC Media UK.
The tranche contained thousands of passport scans, tax documents, bob applications, proofs of addresses, extensive background checks, criminal records, expenses and benefits forms, paperwork related to business taxes and HMRC, scanned contracts with signatures, salary information for a range of roles and positions, emails and private messages, loan agreement contracts etc.
The nature of the documents indicated that they belonged to various human resource management databases, said the vpnMentor report. The information stored in the database were traced back to Dynamic Partners (closed in 2019), Eximius Consultants Limited, Garraway Consultants (closed in 2014), IQ Consulting, Partners Associates Ltd (closed in 2018) and Winchester Ltd (closed in 2018), Taylor told SC Media UK.
The owner of the database was labeled "CHS", which the researchers traced back to CHS Consulting, a London-based consulting firm. However, the researchers could not confirm their ownership of the database.
vpnMentor alerted AWS and CERT-UK, the country’s computer emergency response team and the database was secured on 19 December.
However, the risk still remains high, given that information from 2011 onwards was left exposed for long, say cyber-security experts.
"Given the sensitive nature of the information exposed in this leak, if this database had been discovered by criminal hackers, the security and privacy consequences for those whose data had been exposed could be great. Individuals incur a heightened risk of experiencing threats such as identity theft and phishing scams," commented Robert Ramsden Board, VP EMEA at Securonix.
"Personal Identifiable Information is often sold by cyber-criminals, who find creative ways to exploit it in attacks such as targeted spear phishing campaigns, account compromise and identity theft," noted Corin Imai, senior security advisor at DomainTools.
"Anyone with an association to the consultancy firm whose data was left exposed on the encrypted database should take preventive measures to avoid falling victim of a scam, such as being weary of emails coming from unknown senders and avoiding clicking on links and attachments they don’t recognise."
The official policy of Amazon Web Services (AWS) states that it will ensure that only authorised parties have physical access to their data centres and will run the related network security appliances, such as IPS devices, IDS devices and firewalls. It also monitors logs for security alerts and addresses any related issues of the security of the network itself.
However, code put in by the customer company does not belong to Amazon. If there is a vulnerability in the company code and a hacker exploits it, the company will be held responsible.
"Organisations that store data in the cloud should make sure they understand their role in securing it: cloud providers are responsible for the security of the cloud, but customers are still in charge of securing what they choose to store in it," said Imai of DomainTools.
These are opportunistic, un-sophisticated attacks that steal data from publicly accessible AWS S3 data buckets, commented Sergio Lourerio, cloud security director at Outpost24.
"You'd be amazed to see the data you can find there just by simply scanning low hanging data in cloud infrastructures. And it only takes a couple of API calls to do it. With a lot of data being migrated to the cloud for use cases like data mining, and lack of knowledge of security best practices on Azure and AWS, it is very simple to get something wrong," he said.
Continuous data risk assessments is the primary solution to avoid these situations, he suggested.
"This can be automated and not another big burden for security teams. For more sophisticated attacks such as ransomware, the data risk assessments help prevent them as well by not leaving your data storage open and tighten the scope of data that ransomware may access," he added.