Hobby Lobby, a retailer of arts and crafts with $5.3 billion in revenue, left 138GB of customer information public in an AWS bucket. The security misconfiguration led to the exposure of personally identifiable information (PII) from 300,000 customers (names, phone numbers, addresses, and payment card last four digits), employee names and emails, and company application source code. The information found in the misconfigured bucket was as recent as 2020.
Hobby Lobby has since locked down access to the data after Motherboard (Vice’s Tech division) reached out following a tip from an independent security researcher who provided screenshots of the AWS buckets and data stored therein as evidence. “We identified the access control involved and have taken steps to secure the system,” Hobby Lobby informed Motherboard. While Hobby Lobby secured the AWS bucket, it is unknown whether or not any unauthorized or malicious access occurred.
Hobby Lobby is not the first big brand to suffer a data breach due to a misconfiguration. Cloud misconfigurations are a common occurrence that leads to the inadvertent leak of sensitive, private data for anyone to claim. AWS buckets are easily configured. Frequently, enterprises make the mistake of not securing buckets, rendering them open to the public.
With thousands of human and non-person identities far outnumbering their human counterparts – security gaps such as exposed database buckets often go undetected due to a lack of visibility. “As the use of public clouds becomes more ubiquitous, the dual issues of identity and data protection become increasingly important,” J.R. Santos, Chief Customer Officer at CSA recently said. “The insight Sonrai provides into not only how your data has been accessed but the ways in which it can be accessed in the future is invaluable.”
In fact, Sonrai Security has found unexpected public exposure of data in 90% of the customers where Sonrai Dig has been deployed. Many organizations still lack key identity-related security controls. The few forward-thinking companies that started applying proper access controls are typically focused on human users, not non-person identities. They do, however, present some unique challenges that are only solvable with intelligent CSPM.
Misconfigurations are just breaking the surface of identity and data risk, as there are many other common mistakes with identity and data access, leading to security failures. Enterprise cloud teams must leverage automated tools that provide end-to-end visibility into all identity and data risk, but finding the correct tooling can be a challenge. At Sonrai Security, we have put together a CSPM buyer’s guide that can help prevent data breaches in the cloud such as this.