As reported by the website Comparitech, a software provider deployed small retailers located within the European Union exposed a database of containing around eight million sales records online. These record were exposed without a password, or any other form of authentication, to access the data.
The documents contained important information such as sales records, plus personally identifiable data like customer names, email addresses, customer shipping addresses, the types and values of purchases, plus the final four digits of credit card numbers.
The Daily Telegraph reports that the database was available on search engines for five days before it was shut down, increasing the risk of exposure.
Responding to the issue, Amazon said in a statement (quoted by PrivSec): “We were made aware of an issue with a third party developer (who works with a number of Amazon sellers), who appears to have held a database containing information from several different companies, including Amazon. The database was available on the Internet for a very short period of time.”
CTO Vinay Sridhara of Balbix tells Digital Journal why organizations continue to fall victim to the same security lapses time and time again, and what must be learned from this most recent event.
Sridhara starts by looking at the changing world of technology: “The DevOps revolution and cloud computing have resulted in a double edged sword for enterprises. The same tools that enable organizations to move fast have caused untold, embarrassing breaches like this, showcasing the direct result of rapid adoption without sufficient security oversight.”
He then proceeds to look at some common factors: “These security incidents continue to recur, all following the same script – customer data gets uploaded to cloud server; well-meaning developer neglects to password protect or encrypt that externally exposed database; hacker or threat researcher exposes the data. Unencrypted, unauthenticated, publicly accessible databases wait for bad actors to discover them.”
In terms of what needs to be done to address such issues, Sridhara says: “Despite billions invested in security, enterprises are failing at the infosec equivalent of washing their hands. Since an organization can’t improve what it can’t measure, the starting point for a company to improve their cyber hygiene is to inventory, categorize, and measure the criticality of their assets. From there, basic resilience begins with identity, encryption, and network segmentation.”
