Another day, another data privacy breach due to incorrect permissions on AWS S3 storage buckets
Today, Sky News announced that there had been yet another data privacy report resulting from incorrect permission settings on AWS S3 storage buckets. In this particular vulnerability, the personally sensitive information (SPI) of 200,000+ individuals was available publicly when 2 different online recruitment firms incorrectly had the S3 buckets used to store CVs (Resumes) set to “Public”.
Not the first time
Unfortunately, this is not the first time that this has happened, and certainly not a new problem. There are some extremely public announcements such as Capital One, Equifax, Uber. More recent examples include Malindo Air and Lion Air.
The problem – for individuals
Beyond the challenge and “inconvenience” of having personal credentials exposed (eg. username/password), the recent announcement regarding the incorrect handling of SPI highlights the “real world” implications. While you can change your username, password, even your email address, details such as home address, phone numbers, can not be taken back – the internet is unforgiving in that way.
The problem – for corporations
Even if you ignore, for a moment, any direct financial impacts (and they can be significant for regulations such as GDPR), as a corporation, the impact to your brand and reputation can be even more catastrophic. Consider the question that a client might be asking after you announce a breach … “If I can’t trust you with this data, what can I trust you with?”
I have taken to “borrowing” a saying from one of my mentors Rhonda Childress … “Buyer beware”. I find myself using it on an almost daily basis !
When it comes to the security of internet-hosted services, it’s important to understand what is done for you, versus what you need to do for yourself:
- Be careful of the “easy option”, – start secure and only permit access on an as-needed basis
- Check your permissions – are they set to be restrictive
- Permissions is more than username/password – consider firewall rules, who/what/where is allowed to access your services
- Firewalls … simply yes – and make sure that they block everything by default, permit by exception
- Check your logs – understand what is happening in your environment (as well as what people are TRYING to do)
- If you don’t understand – ASK … there is literally a world of people who can, and often will, help you!
More than S3
The challenges described above are bigger than just an AWS S3 Bucket. While it’s a topical product/service to quote, it would be remiss of me to suggest that it’s the ONLY service that offers cloud hosted storage services. There are examples such as the (in)famous iCloud celebrity photo leak which shows the impact of targeted attempts to gain access to personal information.
For a few references on how to secure your S3 buckets, please have a look at the following pages – and don’t forget to get your own specific guidance and security review:
- Amazon S3 Security
- AWS Data Privacy
- Securing the files in your S3 bucket
- Securing your data by knowing your data
This post was originally authored on this blog, you can also see the corresponding LinkedIn Article here – https://www.linkedin.com/pulse/protect-your-buckets-andrew-barnes