It was recently discovered that a database containing just over 500,000 sensitive records equalling 425gb of data was breached. These sensitive records were directly linked to a cash advance app that provides high interest, short term loans and credit advances to small businesses. The data included sensitive information such as, tax returns, bank statements, scanned bank checks, bank account access information, drivers licenses, social security numbers, and more.
The cause of the breach was determined after a third party investigation and appeared to be an exposed S3 bucket. This particular S3 bucket was completely unencrypted, not even a password to protect its contents. After discovering the breach a third party service attempted to contact the company but received no response. After not hearing back AWS was contacted who shut down the S3 bucket immediately.
This seems to be a case of both negligence and a simple S3 misconfiguration. S3 bucket misconfigurations are a common cause of data breaches in today's world. Securing S3 buckets is not difficult, as they come with their own encryption methods built in. Data security is a serious business and dealing with records as sensitive as the ones in this breach requires careful planning.
Companies should always encrypt and password protect their S3 buckets and/or storage containers. Protocols and contingencies need to be put in place to safeguard the data in the event of an accident occurring. Common accidents are backing up data and restoring it, and forgetting to password protect the new data set. Accidentally leaking a private S3 bucket to a public cloud. Not securing individual access to certain secure S3 buckets. These all factor into the realm of human error and human error while unstoppable can be mitigated.
Monitoring access of authorized and unauthorized identities, educating employees, and following careful procedures when working in the cloud, and procuring proper services and tools are all steps that can be taken to reduce the risk of a data breach. Always find the right tools to help protect your environment.
Learn more about this cloud security data breach from ZDNet.