Major Data Leaks on Amazon Web Services Lately. Who’s at Fault?

Cloud security concerns are among the main reasons why so many businesses have been hesitant to move to the cloud. While there are lots of advantages to moving to the cloud, and that’s why the organizations are tempted to move to the cloud, there are also some serious security concerns when companies move their corporate data to a third-party storage. Let’s take the Amazon Web Services (AWS) as an example. AWS is a cloud services platform, which according to the Seattle-based giant Amazon “offers reliable, scalable, and inexpensive cloud computing services.” I would agree with the reliable and scalable part, but I’ve never heard anyone accuse AWS of being “inexpensive.” I’m just sayin’! 🙂

Because Amazon stores a tremendous amount of customer data on its storage servers, as a service provider it’s responsible for keeping the customer content secure. Obviously, Amazon has gained the customers’ trust over the years, or else it wouldn’t be so successful. Unfortunately, Amazon has been in the cybersecurity news a lot lately. In less than two weeks (12 days to be exact), AWS experienced some major data leaks. Let’s look at a few major incidents between July 6 and July 17, 2017. Incidents like these are a good reminder for us to stop and think about our own business. Are we doing enough to secure our business assets? Are we learning from others’ mistakes? What more can we do to mitigate cybersecurity risks?

July 6, 2017- World Wrestling Entertainment

AWS Data Leak (Amazon was not at fault)

Personal information of more than 3 million wrestling fans was exposed due to a World Wrestling Entertainment (WWE) database leak, but Amazon was not at fault. The exposed information included:

• Home addresses
• Email addresses
• Educational background
• Earnings
• Ethnicity
• Birthdates
• Children’s age ranges
• Other personally identifiable information (PII)

Kromtech, the company that discovered the data leak, believes that the exposure was due to a misconfiguration of database either by WWE or an IT solution provider (ThreatPost.com, 2017). The configuration error left the database records available in plain text on Amazon S3 server. After the disaster, the WWE decided that it will have a couple of cybersecurity companies conduct regular security audits on AWS. Hmm? No one at WWE thought about conducting these audits before the data leak?

July 12, 2017 – Verizon

AWS Data Leak (Amazon was not at fault)

A whopping 14 million Verizon customer records were exposed due to a cloud data leak on Amazon Web Services (AWS), but Amazon was not at fault. According to ZDNet, a large company which serves 85 of the Fortune 100 companies, was responsible for this exposure:

“An Israeli technology company has exposed millions of Verizon customer records, ZDNet has learned. As many as 14 million records of subscribers who called the phone giant’s customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra’anana, Israel-based company.”

Each record included customer’s name, cell number, and the user PIN number. It took a week before the data was finally secured.

July 17, 2017 – Dow Jones

AWS Data Leak (Amazon was not at fault)

2.2 million Dow Jones customer records were exposed due to an error by a Dow Jones employee in configuring the cloud computing service. The customer names, usernames, email, physical addresses, and the last 4 digits of credit card numbers were exposed. Again, Amazon was not at fault.

Did you notice the pattern here? Companies are leaking customers’ data like a sieve. I could list many more cases, but you get the idea. Interestingly, in every single case that listed above, Amazon or its services were not at fault. The reason for data leaks turned out to be primarily user error and incorrect configuration, both of which can be attributed to lack of training, knowledge, and experience. Some people may argue that AWS is too complicated to configure so people are having trouble properly configuring them. However, Amazon provides tons of information on AWS, including training options, and there are more than 50,000 AWS certified experts in the world who are trained to configure the services properly. Did they hire one of them? Did they send their own staff to training?

Cybersecurity Training is the Key

Why do so many large organizations either keep getting hacked or experience data leaks? There are lots of scenarios and circumstances and there’s no simple answer to this question. However, after 25+ years of experience working with security technologies and different types of clients, it is my professional opinion that lack of proper training and security awareness is one of the biggest reasons why so many organizations get hacked. A Security Awareness Training  Program is highly recommended regardless of your company size, budget, or the nature of your business. If your organization uses Internet-connected devices, you should implement such a program.

Obviously, large organizations have a bigger target on their back and they have too many security holes to plug and entry ways to monitor, but they also have big budgets, more resources, and bigger staff. The problem is that some organizations are reluctant to spend much money on securing their infrastructure, training their IT staff and end users, or implementing a cybersecurity awareness program until they get hacked. Once they are hacked and their existence is in jeopardy, somehow magically they come up with lots of money in their budget for everything that they should have done before they got hacked. Remember the Premera hacking incident? The federal auditors warned Premera three weeks before the hack that its network security was inadequate and yet Premera failed to protect 11 million patient records from being stolen, as reported by The Seattle Times in the story Feds warned Premera about security flaws before breach. Premera exposed PII of its customers, despite plenty of warning from the FBI and the U.S. Office of Personnel Management. The exposed records included Social Security numbers, medical records, birthdates, bank information, addresses, phone numbers, email addresses, and employment information. And that’s not it. Premera kept the cybercrime secret from their customers for six weeks, which allowed the hackers to steal even more data (ClassAction.org, 2017). After the hack, Premera decided it would be a good idea that they hire a cybersecurity firm to strengthen their security systems. Many organizations do not prioritize security. Unless they make security a top priority, it’s only a matter of time until they get hacked, and Premera is a perfect example of that. Larger organizations have a better chance of surviving a cyberattack and that may be another reason why they tend to be somewhat lax about cybersecurity.

The trend is slowly changing and more organizations are focusing on cybersecurity training, but we are far from where we need to be. Cybersecurity awareness is a cultural change and luckily in the United States there are major initiatives all over the country that are changing our security culture. The millennials are computer savvy, educated, and way more aware of the social, environmental, political, and cultural issues than the baby boomers. This is a good thing and will help bring the change that’s needed. Thanks to a recent bill in Illinois, the state employees are now required to undergo cybersecurity training. I am sure other states will follow. If only the organizations would realize that the cost per person for cybersecurity awareness is practically negligible, this world will be a different place.

“According to a study by the Ponemon Institute and IBM Security, the average total cost of a data breach amongst the 419 companies they surveyed was $3.62 million. Cybersecurity awareness training and re-enforcement programs cost less than $5 per person and offer a cost avoidance of around $184 per user.” (CBS Chicago, 2017).

In just about every hacking story, one thing seems to be common. The organization decides to hire a cybersecurity company –– after the hack. Businesses should realize that, based on the above study, for every $2.70 they invest per person in cybersecurity awareness training, they are avoiding a potential $100 cost per user in data breach. All the management has to do is compare the cost of an average hack with the cost of a security audit to realize what their organization needs to do.

Some companies are good at sending their IT staff to training, but they leave out their most important assets, the information workers. Another big mistake that I have seen companies make is that the senior executives don’t attend cybersecurity training. The senior management needs a different kind of cybersecurity training, and they can set the tone for the entire organization to help change the company’s security culture.

The way I look at it, businesses have two choices. They can either get their employees trained in cybersecurity now, or wait until they’re hacked and then get the employees trained. Obviously, the first option is a better choice. There’s no guarantee that the training will make an organization 100% safe from cyberattacks, but training will definitely help. Think of cybersecurity training as your business liability insurance. You won’t consider running your business without liability insurance, why should you run your business without cybersecurity training for your staff?

About 60% of hacked small and medium-sized organizations go out of business after six months (Inc.com, 2017). Are you going to be next?

Copyright © 2017 SeattlePro Enterprises, LLC. All rights reserved.