The data loss impacting fitness brand V Shred has exposed personal data connected to some 99,000 prospective customers, current clients and trainers. The exposed files contained names, home addresses, email addresses, dates of birth, some Social Security numbers, social media accounts details, usernames and passwords, age ranges, genders, and citizenship status.
Looking into the issue for Digital Journal, Chris DeRamus, VP of Technology, Cloud Security Practice, Rapid7 says that the unsecured database is too common a problem and one overlooked by too many firms. Indeed, many cloud mishaps occur due to misconfigurations at the point of set-up.
With this, DeRamus notes: “Leaving a database publicly accessible without any security barriers in place is one of the most common yet easily preventable causes of data leaks and breaches. In fact, data breaches involving cloud misconfigurations increased by 80 percent from 2018 to 2019.”
He adds that not thinking through the appropriate set-up and configuration of a customer interacting service is key: “With the self-service nature of the cloud, users may not be adequately familiar with cloud security settings and best practices, resulting in devastating data leaks, such as this incident involving the exposure of personally identifiable information belonging to V Shred customers and trainers. Although any evidence of misuse has not been confirmed, the information that was exposed is highly valuable to bad actors, who harvest this kind of data to sell on dark web marketplaces or to launch future attacks against the impacted individuals.”
In terms of the implications, DeRamus explains: “This exposure of customer data highlights why developers and security teams need to work together to proactively identify cloud compliance and security issues before cloud resources are deployed.”
As to what is to be done, DeRamus recommends: “Organizations should not rely solely on runtime security and instead must “shift left” by taking preventative measures early on in their continuous integration and continuous delivery pipelines. This approach will allow organizations to prevent security issues including cloud infrastructure misconfigurations from ever occurring, thereby preventing data breaches and leaks.”