In the latest misconfigured Amazon Web Services (AWS) cloud storage snafu, Walmart jewelry partner MBM left personal data for more than 1.3 million customers in the US and Canada exposed without a password.
The Chicago, Illnois-based jewelry company, which operated under the name Limogés Jewelry, left names, addresses, ZIP codes, phone numbers, email addresses, IP addresses and passwords publicly available in an AWS S3 bucket – data that can be used to carry out targeted fraud or phishing attempts.
Originally detected by Kromtech Security, the data of MBM’s online visitors was housed in an MSSQL database backup named “walmartsql.” Kromtech said that it’s unknown if the customer information came from the Walmart website or the Limogés Jewelry site.
“The negligence of leaving a storage bucket open to the public after the publication of so many other vulnerable Amazon S3 buckets is simple ignorance,” said Bob Diachenko, head of communications at Kromtech Security, in a post. “Furthermore, to store an unprotected database file containing sensitive customer data in it anywhere directly online is astonishing, and it is completely unfathomable that any company store passwords in plain text instead of encrypting them.”
While the general consensus is that the fault for leaving data exposed lies with the enterprise customer, at least one researcher says that the sheer volume of these types of incidents, even though the misconfiguration pitfall is well publicized, indicates that there’s something wrong with AWS’s shared responsibility model that puts undue pressure on the end user.
“It is unfortunate that these types of issues continue to plague AWS customers,” said Sam Bisbee, CSO, Threat Stack, via email. “While organizations must understand where they are storing their data, whether the storage system is appropriate for the data they’re keeping there, and whether they have the internal resources to responsibly secure those data systems, the onus must also be on AWS. The shared responsibility model for security is accurate and fair, but it is beginning to feel disingenuous as AWS continues to release point solution tools yet leaks keep occurring. This isn’t limited to just S3 either, as our research indicates that nearly three-quarters of organizations have critical AWS misconfigurations of some kind.”
This is particularly true for large organizations that have grown rapidly over time, both organically and inorganically, and often rely on third parties, he argued.
“It can be very difficult to maintain security visibility into your infrastructure as assumed knowledge gets dispersed, particularly as business leaders continually prioritize speed over security,” said Bisbee.