Doxzoo, a UK-based document printing production company, has left an AWS S3 bucket with a trove of over 270,000 records unsecured, found vpnMentor researchers. The data exposed includes print jobs for several high-profile clients such as the US and UK military branches and Fortune 500 companies, a cyber-security research team led by Noam Rotem and Ran Locar disclosed.
“The vpnMentor research team discovered the misconfigured Doxzoo database as part of a routine web scanning project,” vpnMentor researcher Lisa Taylor told SC Media UK. “The bucket was left open and unencrypted. Anyone with the URL could just access it.”
The Doxzoo website says the company has an ISO 27001 accreditation for security, and says the documents of their customers are in “safe hands”.
“The bucket contained over 270k records and was greater than 343 GB in size. It was filled with customers' documents for printing, such as passport scans, PCI, paid programmes, certifications/diplomas, internal military documents etc.,” Taylor said.
The company was notified on 26 January, four days after the team discovered the tranche, but there was no reply from the company’s side, said Taylor. “We decided to reach out to Amazon who managed to rectify the misconfiguration on 11 February.”
"The Doxzoo instance shows once more how dangerous cloud storage systems like S3 Bucket can be when rigorous security procedures aren't implemented. The exposed data had names, addresses, emails and passport scans that will undoubtedly end up on the Dark Web to be used by cyber-criminals,” saod Marco Essomba, founder of iCyber-Security.
“These instances keep happening because organisations move to the cloud assuming that cloud storage is safe by default. It’s not. Monitoring storage servers for incorrect configs with regular vulnerability assessments and strong access control can help prevent them from happening. The affected organisations must also ensure that impacted users monitor their credit files for fraud," he added.
The official policy of Amazon Web Services (AWS) states that it will ensure that only authorised parties have physical access to their data centres and will run the related network security appliances, such as IPS devices, IDS devices and firewalls. It also monitors logs for security alerts and addresses any related issues of the security of the network itself.
However, code put in by the customer company does not belong to Amazon. If there is a vulnerability in the company code and a hacker exploits it, the company will be held responsible.
Companies using S3 buckets for analytics or big data projects and making careless mistakes in the misconfiguration is becoming too common, said Hugo van den Toorn, manager, offensive security, Outpost24.
“To prevent this scenario, companies must ensure they have the security process and controls in place to assess and be alerted of potential misconfigurations on a continuous basis. This is especially true when you consider the sensitive information of military data being left without adequate security parameters,” he said.
“The fact that the information was both unsecured and unencrypted is a clear violation of several regulations. Events like this are easily prevented but very difficult to mitigate, as once the data has been accessed it may appear for sale on the dark web, potentially leading to identity theft or increased phishing attempts.”
There is plenty of guidance and developers should know better by now, but this keeps happening again and again, noted Oliver Pinson-Roxburgh, co-founder at Bulletproof.
“Many businesses are using buckets for their core web applications, and this means you can completely take over the site if they have left it exposed. It’s a very dangerous mistake to make.”