Businesses everywhere, beware— the cyber security leak that happened at Verizon, Dow Jones and the RNC can happen to you, too.
A reminder: The names, addresses, phone numbers and in some cases, security PINs of 6 million Verizon customers stored on large cloud-computing servers were made available to the public, the telecommunications carrier said last week after a cybersecurity company notified it of the exposed data.
Verizon chalked the leak up to human error, saying it was because an employee of NICE Systems, one of its contractors that it uses to analyze its customer service response, made a mistake. No customer information was stolen, Verizon said, and it apologized to its customers.
Still, the risk was clear: A criminal who discovered the data could have used or sold the identifying information for the type of fraud that can wreak havoc on consumers’ lives.
The Verizon leak comes a month after the discovery that the names, birthdays, addresses and other personal details of 200 million registered voters were exposed by a contractor for the Republican National Committee.
In a similar scenario, the RNC contractor — Deep Root Analytics — had failed to ensure that the voter files stored on an Amazon cloud account were not available to public access. As with the Verizon exposure, Mountain View, Calif. cybersecurity company UpGuard identified the data cache.
And over the weekend, Wall Street Journal parent Dow Jones & Co. said the records of 2.2 million customers, which in some cases included names, addresses, account information and the last four digits of credit card numbers, were left exposed in an Amazon Web Services account. Dow Jones says it doesn’t believe any information was taken.
More such exposures are likely until businesses, which are increasingly using the cloud to store and analyze customer data and their own content — for instance, images that populate their websites — get a firm grip on the security protections they need to place around such data.
“When you have these complex systems and you force humans to solve the problem manually, we make mistakes,” Nathaniel Gleicher, head of cybersecurity strategy at Illumio and former director of cybersecurity policy in the Obama administration. “Complexity is the enemy of security.”
His take: data leaks are going to keep happening until cloud storage systems become more automated and enterprises have more help dealing with systems.
Amazon Web Services, where the Verizon data was stored, operates under a “shared responsibility” model with the customer — the Amazon cloud unit controls the physical security and operating system, and gives customers encryption tools, best practices, and other advice to help them maintain security of their data. The customers are responsible for making sure their applications are secure.
It’s roughly similar to a Google Docs user setting the “sharing” setting to private, a small group, or anyone.
After uploading files into an Amazon Web Services server, a business makes adjustments to who can access the files in a certain “bucket”, and the permissions (say to edit or just view). By default, the data is set to private so that only the person uploading the files can see them.
The user can widen access to various groups, including authenticated users, that is, anyone with an AWS account that has permission to access the files; and everyone.
“Use this group to grant anonymous access,” says the AWS website. The NICE Systems employee might have clicked the “everyone” category while meaning to give access to another group.
This article is sponsored by:
Show your customers that you care about their privacy! European Center for GDPR Certification is the “Consumer Trust Body” of the General Data Protection Regulation. Visit GDPRcertified.org to read about how to add “GDPR TRUST SEAL”™ to your website in order to gain more business and distance you from the not so serious businesses – It Pays Off!