This week it emerged that a watchlist of almost 2.5 million people and corporate bodies held by Dow Jones was exposed. Baninforsecurity.com reports that this was the result of a third-party company, with access to the database, that left the data on an AWS-hosted Elasticsearch database. There was no encryption in place.
The indexed, tagged and searchable list includes current and former politicians, citizens with alleged criminal histories and possible terrorist links, and companies under sanctions or convicted of high-profile financial crimes. The exposed records include names, addresses, locations, dates of birth, genders, whether they are deceased or not, and in some cases, photographs.
Unprotected servers
Focusing on how the incident could have occurred Chris DeRamus, CTO and co-founder, DivvyCloud tells Digital Journal: “This security lapse from the Dow adds to a growing list of organizations in 2019 that have left Elasticsearch servers unprotected, therefore exposing massive quantities of proprietary data. Dow Jones suffered a similar cloud storage misconfiguration two years ago that exposed the information of 2.2 million customers.”
He levels criticism at the financial institution: “Dow Jones clearly did not take proper steps to strengthen its security posture. Organizations must realize the importance of balancing their use of the public cloud, containers, hybrid infrastructure and more with proper security controls. Automated cloud security solutions that provide the automation essential to enforce policy, reduce risk, provide governance, impose compliance and increase security across large-scale hybrid cloud infrastructure are a must for the massive stock market index, as well as any major enterprise.”
Lack of password control
This theme is shared by Carl Wright, CCO of AttackIQ, who explains: “This data breach is particularly egregious for both the lack of very basic protection — a password — and the extremely high degree of sensitivity of the data. There may be people on the list that are innocent, and the risky individuals are now aware they are on the list and can change their tactics to avoid detection in the future.”
Expanding on this, Wright considers what should have been done: “Such leaks are often caused by gaps in security programs that can be easily detected and prevented. Organizations must take proactive approaches to protect their data through continuous evaluation of their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses. And as evidenced by this incident, testing must extend to an organization’s third-party partners as well.”
Need for a cloud access security broker
This is shared by Anurag Kahol, CTO and founder, Bitglass, who states: “While all organizations need to defend their data, Dow Jones, in particular, must adhere to the highest of security standards – the type of information that they collect, store, and share demands it.”
With the AWS system, Kahol notes: “Even though AWS provides some native security and compliance functionality, the onus is on the enterprise to secure access to the data that is being stored within the platform. At the most basic level, this requires the use of a password (although this alone is not sufficient for cybersecurity). As more and more organizations move to the cloud, advanced, cloud-specific security controls must be put in place in order to secure data as it travels across third party services, organizations, and devices. One effective solution for accomplishing this involves using a cloud access security broker (CASB) to protect data wherever it goes.”
