Dow Jones, the American publishing and financial information company, has joined a long list of companies which have left a customer database viewable by anyone on the web.
Prolific database-finder Chris Vickery said in a blog post that various internal databases had been left unsecured on an AWS S3 server. A total of 2.2 million customers are believed to be affected by the cloud security blunder.
Vickery points out that the cloud repository in question offered “semi-public access”, which means whoever set it up was offering any authenticated AWS user access to the data, not just Dow Jones staff.
Dow Jones has confirmed the breach. SC understands that Dow Jones considers the incident to be a storm in a teacup and not serious enough to warrant a customer announcement.
Passwords and credit card numbers were not being stored in the database, said Vickery.
However, there is enough information to launch phishing attacks or commit identity fraud.
Dan O'Sullivan from Upguard wrote: “Sending official-looking emails purporting to be from The Wall Street Journal notifying customers their subscription had lapsed, or that their accounts had been compromised, malicious actors could have succeeded in convincing such high-value targets to supply credit card information, login credentials, or more.”
Vickery discovered the breach at the end of May, including a file which includes “customer names, internal Dow Jones customer IDs, home and business addresses, and account details, such as the promotional offer under which a customer signed up for a subscription”.
There is also a risk and compliance database, including “a great many financial industry personnel located around the world”, he said. A lot of the information in the database was publicly accessible.
The announcement on the incident from Upguard makes no mention on whether the repo has been made private or removed. It does how ever opine that the response of Dow Jones & Company's leadership is of great concern. O'Sullivan writes: “While few enterprises would enjoy notifying customers of such an event, it is of the utmost importance to enable consumers to secure their data and impede the ability of any malicious actors to take advantage of the exposure.”
Christiaan Beek, lead scientist and principal engineer at McAfee, said in a statement: "Companies need to focus on building a fully integrated security system with automated monitoring in place to ensure that they constantly aware of what is happening on their networks. Finding the right combination of people, process and technology is the key to effectively protecting the organisation's data, detecting any threats and, when targeted, having the capability to rapidly correct affected systems."