Dow Jones AWS S3 Server Error Leaks Personal Data Of 2.2 Million Customers
The exposed data includes names, addresses and the last four digits of credit card numbers
Financial publishing giant Dow Jones has confirmed that it leaked the personal information of 2.2 million customers after wrongly configuring an Amazon Web Services (AWS) S3 cloud storage server.
Security firm UpGuard first discovered the leak in early June and says that the server had been set up to allow “semi-public access”, resulting in the exposure of sensitive personal and financial information.
The leaked data includes the names, addresses, account information, email addresses and last four digits of credit card numbers of millions of Dow Jones subscribers.
Leaky server
Dow Jones is the parent company of several leading financial publications – including The Wall Street Journal and Marketwatch – and boasts millions of subscribers across its portfolio.
Although the company has admitted that 2.2 million customers were affected, UpGuard “conservatively estimates” that the true scale of the breach could be closer to 4 million.
“The exposed data repository, an Amazon Web Services S3 bucket, had been configured via permission settings to allow any AWS “Authenticated Users” to download the data via the repository’s URL,” writes Dan O’Sullivan on the UpGuard blog.
“Per Amazon’s own definition, an “authenticated user” is “any user that has an Amazon AWS account,” a base that already numbers over a million users; registration for such an account is free. The revelation of this cloud leak speaks to the sustained danger of process error as a cause of data insecurity.”
Also stored in the repository, which was secured on June 6th, were the details of 1.6 million entries in a risk and compliance suite of databases, which are used by financial institutions for compliance with anti-money laundering regulations.
This is not the first time an AWS S3 database has been the source of a data leak, which highlights how businesses need to take extra care when setting up their cloud storage tools.
Earlier this month, World Wrestling Entertainment (WWE) leaked the personal data of over three million fans after failing to properly secure an S3 server, after a similar error in the US resulted in the country’s largest error breach of voter data.
Quiz: Cyber security in 2017!