A new week, a new leak.
This week a researcher reported finding 2.5 million records exposed — showing people’s names, insurance records, medical diagnosis notes and more — on August 17.
Data breaches are an epidemic. Why can’t companies keep your data safe?
Watch here:
Too Easy
Attackers don’t always need to hack their way into a company to get your info.
In many cases, companies are simply leaving crucial databases wide open for all to see.
In May, a dating app company left its trunk of 20 million files unlocked, revealing graphic pictures, intimate conversations, voice messages and more, according to researchers at vpnMentor.
It’s just one of many breaches in the past few months, from patient info, tax returns, student records for kids, and bank account info to customers for adult entertainment web cams.
In each case, the companies made it easy for attackers to access your info.
Instead of marking the databases as private, they mark them as public, researchers said.
“For whatever reason, it is made public,” said Renee Trisberg, CEO & CTO of cloud security company SpectX in Estonia. “Information that should always be protected, but it’s not.”
Too Many
Trisberg looks for these leaky buckets on a quest to clean up the Internet.
“Same story,” he told Archer News. “No passwords protections. In the Internet, publicly available.”
He finds unsavory cases every time he searches and notifies the company involved — if it’s still in business.
Researchers from Truffle Security reported finding 4,000 leaky buckets with usernames and passwords in August.
Also, NordPass found almost 10,000 unlocked databases over the last year, resulting in 10 billion records exposed.
“You simply need to pray that the company is keeping your data safe,” Trisberg said. “Watch things, monitor credit reports.”
Why?
Why so much misconfiguration?
Many more people are using the cloud now, but don’t always know how to do it safely, said Shira Shamban CEO of cloud security company Solvo in Tel Aviv.
“And then we have the challenge of, the race of, trying to find the misconfiguration as fast as possible,” she said. “Before someone with a more criminal mind finds it.”
The most notorious issue is a combination of moving too fast and forgetfulness, according to Shamban.
In a rush to get into the database for work, people don’t take time to set up the right permissions.
“They don’t stop to think about it for a minute,” Shamban said. “They just open it, assuming that in five minutes they will close it back. They don’t, they forget, they leave it open and then ‘uncomfortable’ things happen.”
Employees may also try out new tools in the cloud.
“They are taking their corporate data and copying it to the cloud. But they’re not familiar with how to secure the cloud. They’re playing with the tools and then forgetting the data there in public form,” Trisberg said.
Prime Example
Our personal data lost —and attackers moving in — because of forgetfulness.
It may have been a factor, for example, in the attack at cloud communications platform Twilio, with big customers like Yelp, Netflix, Hulu, Uber, Airbnb, and Twitter.
Twilio says it changed security settings for a database back in 2015 and never re-set them.
In July, attackers got in and changed code — possibly trying to steal financial data — before Twilio fixed the problem.
Researchers with Accuracy found that 93% of cloud deployments checked had misconfiguration problems, leaving them vulnerable to attacks: data stolen, held for ransom, or simply destroyed, like in the ‘meow attack‘ where attackers are replacing data with the word ‘meow’.
’Temporary Insecurity’
In some cases, the unlocking of data may be more intentional.
After many employees moved to work-from-home in March, companies and government experienced more breaches, according to the International Association of IT Asset Managers.
One of the causes was ’temporary insecurity,’ as illustrated in this example from IAITAM.
“An intentional decision to make devices less secure to allow for work from home use. One example would involve removing admin permissions so that employees can complete the task without administrator oversight,” the organization explained.
Attackers can use search engines to easily find unsecured databases.
Drive Right
If the cloud is a car, we need to pay more attention to the road, Shamban said.
“Come on, it’s really up to us, the users,” she said. “You don’t have to be a car mechanic to drive a car, but you definitely need to know how to drive it if you want to go to places.”
“The cloud is great,” she added. “We just have to use it the right way.”
What To Do
Even if you don’t work with databases, you can take positive steps, Shamban said.
For one, be careful what info you give to companies. Give as little as possible so you will be affected less if they’re breached.
Also, use multi-factor authentication to protect your accounts so a breach doesn’t give attackers control over you.
For people and companies who work with databases, take the time to configure permission correctly, and check to see they are all protected. You can automate the process if needed.
Twilio, for example, now says it’s going to restrict direct access to its data buckets and improve monitoring of bucket policy changes to quickly detect problematic access policy.
People’s digital lives are at risk, but this misconfiguration epidemic is not out of our control.
Main image: Leaking bucket. Image: ConstantinosZ/iStock