Another day, another data privacy breach due to incorrect permissions on AWS S3 storage buckets
Today, Sky News announcedÂ that there had been yet another dataÂ privacy reportÂ resulting from incorrect permission settings on AWS S3 storage buckets. In this particular vulnerability, theÂ personally sensitive information (SPI) of 200,000+ individuals wasÂ available publicly when 2 different online recruitmentÂ firms incorrectly had the S3 buckets used to store CVs (Resumes) set to “Public”.
Not the first time
Unfortunately, this is not the first time that this has happened, and certainly not a new problem. Â There are some extremely publicÂ announcements such as Capital One, Equifax, Uber. Â More recent examples include Malindo AirÂ and Lion Air.
The problem – for individuals
Beyond the challenge and “inconvenience” of having personal credentials exposed (eg. username/password), the recent announcement regarding the incorrect handling ofÂ SPI highlights the “real world” implications. Â While you can change your username, password, even your email address, details such as home address, phone numbers, can not be taken back – the internet is unforgiving in that way.
The problem – for corporations
Even if you ignore, for a moment, any direct financial impacts (and they can be significant for regulations such as GDPR), as a corporation, the impact to your brand and reputation can be even more catastrophic. Â Consider the question that a client might be askingÂ Â after you announce a breach …Â “If I can’t trust you with this data, what can I trust you with?”
I have taken to “borrowing” a saying from one of my mentors Rhonda ChildressÂ … “Buyer beware”. Â IÂ find myself using it on an almost daily basis !
When it comes to the security of internet-hosted services, it’s important to understand what is done for you, versus what you need to do for yourself:
- Be careful of the “easy option”, – start secure and only permit access on an as-needed basis
- Check your permissions – are they set to be restrictive
- Permissions is more than username/password – consider firewall rules, who/what/where is allowed to access your services
- Firewalls … simply yes – and make sure that theyÂ block everything by default, permit by exception
- Check your logs -Â understand what is happening in your environment (as well as what people are TRYING to do)
- If you don’t understand – ASK … there is literally a world of people who can, and often will, help you!
More than S3
The challenges described above are bigger than just an AWS S3 Bucket. Â While it’s a topical product/service to quote, it would be remiss of me to suggest that it’s the ONLY service that offers cloud hosted storage services. Â There are examples such as the (in)famous iCloud celebrity photo leakÂ which showsÂ the impact of targeted attempts toÂ gain access to personal information.
For a few references on how to secure your S3 buckets, please have a look at the following pages – andÂ don’t forget to get your own specific guidance and security review:
- Amazon S3 Security
- AWS Data Privacy
- Securing the files in your S3 bucket
- Securing your data by knowing your data
This post was originally authored on thisÂ blog,Â you can also see the corresponding LinkedIn Article here – https://www.linkedin.com/pulse/protect-your-buckets-andrew-barnes