The IMGE data leak resulted in information from database entering the public domain. Such data included more than 6,000 employees of the U.S.’s primary aerospace and defense contractor Boeing, publicly accessible online. It is not clear how long they were publicly accessible, though the names of some of the files indicate they were created in early 2018, according to the Daily Beast.
The Boeing employees impacted ranged from senior executives to program managers to government-relations personnel, and even one executive at the company’s advanced prototyping arm that handles highly classified work for the U.S. government.
According to Boeing: “This information was exposed as a result of human error by the website’s vendor…Boeing takes cybersecurity and privacy seriously and we require our vendors to protect the data entrusted to them. We are closely monitoring the situation to ensure that the error is resolved quickly.”
To look at the implications of the data breach, Digital Journal caught up with cloud security expert Chris DeRamus, CTO at DivvyCloud.
DeRamus notes that the incident signals the immaturity of many cloud systems: “Many users are not adequately familiar with the self-service nature of the cloud and may not implement proper cloud security settings and best practices, resulting in data leaks.” With this he cites the Boeing incident.
With safeguards now taken around the Boeing case, DeRamus notes that appropriate action has now been to hide the data from the public domain the risks stem from just how long the data base was left open for – a fact that has yet to be established.
This leads DeRamus to consider the type of data exposed: “It is especially concerning that the database contained information about 6,000 Boeing employees, many of whom are heavily involved with the U.S. government and military”, especially given that “the exposed data is more than enough information for cybercriminals to launch highly targeted attacks against those impacted to gain more confidential government information.”
In terms of lessons to be learned, DeRamus advises: “Companies who manage large amounts of sensitive data need to be proactive in ensuring their data is protected with proper security controls.”
He further recommends, in order to safeguard personal identifiable information linked to business employees, that “Companies must adopt robust security strategies that are appropriate and effective in the cloud at the same time they adopt cloud services – not weeks, months, or years later.”
The security expert adds further: “Automated cloud security solutions can detect misconfigurations, such as an unprotected database, in real time and trigger instant remediation, so that Amazon Web Services buckets and other assets never have the opportunity to be exposed.” Cloud misconfiguration is a real, and growing problem. According to IBM research (quoted by IT Portal), there has been a 424 percent increase in 2019 from data leaks connected with misconfigured cloud systems.
