Netflix, Ford, TD Bank Data Exposed by Open Amazon S3 Buckets
Israeli-based data integration and big data management Attunity exposed the data of Fortune 100 customers such as Toronto-Dominion Bank (TD Bank), Ford, and Netflix after failing to secure three Amazon S3 buckets it managed.
Attunity, a company which is currently working with at least half of all Fortune 100 companies and it has over 2000 clients according to its website, leaked both its clients' and its own data, with over 1TB of info being downloaded by UpGuard researchers for analysis.
While the total size of the open S3 buckets discovered by Upguard is uncertain, the data contained within included highly sensitive business and personal information such as "email correspondence, system passwords, sales and marketing contact information, project specifications, and more."
The databases were found by Upguard on May 13, with an initial upload time of September 2014 and the most recently uploaded document having a timestamp of just a few days prior to the AWS buckets being discovered.
Among the exposed data, the research team unearthed a Netflix database containing authentication strings, TD Bank software upgrade invoices, and Ford project documents.
Upguard also found system credentials in the Attunity data set with "Credentials such as private keys were stored, and exposed, in directories for configuring those types of systems." This serves "as a useful reminder of how that information might be stored in many places across an organization’s digital assets."
Company system information was also found within the sample data set downloaded from the three exposed AWS buckets by the researchers —Attunity’s own systems also being exposed in the data leak — with information like IP addresses being leaked via a spreadsheet named "Production VLAN."
The publicly accessible databases also stored personally identifying information (PII) exposing employee data via multiple spreadsheets, with the info including names, addresses, dates of birth, vacation days, salaries, and more.
"An additional risk is that the employee ID numbers tied to US Attunity employees follow the same numbering scheme as social security numbers, which leads us to believe they may be one in the same," states Upguard. "The Attunity Employee IDs in this spreadsheet for US employees are nine digits, the same length as SSNs."
However, "US government site does not return the name of the person with the SSN for obvious security reasons, and so we cannot absolutely verify that these ID numbers are also the employee’s social security number," add the researchers.
Even though the data leak could have impacted highly sensitive business documents and customer information, some of the affected companies such as Ford already stated that the incident had such severe consequences. "We know the kind of information we provide to companies like Attunity, and we don’t believe there’s an issue,” as Ford spokeswoman Monique Brentley told Bloomberg.
Additionally, a TD Bank spokesman Matthew Doherty stated that "We are currently investigating this matter and, thus far, we have found no evidence that our customers' personal and financial information was exposed. We also have safeguards in place that are designed to help deter unauthorized access and use of our customers' personal and financial information.”
A Qlik spokesperson, Attunity's parent company, also added as per SecurityWeek that:
We are still in the process of conducting a thorough investigation into the issue and have engaged outside security firms to conduct independent security evaluations. We take this matter seriously and are committed to concluding this investigation as soon as possible. At this point in the investigation, indications are that the only external access to data was by the security firm that contacted us.
Gloss