UK-based travel company Teletext Holidays left a trove of its customer data unsecured, exposing 530,000 files including some to 200,000 audio files of calls made by customers.
The Amazon Web Services (AWS) server, left unsecured for three years, showed the names of the users, their email and home addresses, telephone numbers and dates of birth, reported Verdict.
The calls, which range from a few minutes to up to an hour, discuss personal holiday details including location, flight time and cost. The files have since been removed, said the report.
A company spokesperson told Verdict that the company is “in the process of” reporting the matter to the regulators and will take steps to avoid such situations.
Teletext is the latest in a long line of companies struggling with maintaining security configurations across cloud service.
A survey by security services business Tripwire of 150 attendees at Black Hat USA 2019 in August showed that 84 percent of the participant organisations found it difficult to maintain security configurations across cloud services. Of those, 17 percent said it was “very difficult”.
Only 54 percent of the security professionals said they had configuration management in place for the cloud, and just 49 percent had file integrity monitoring (FIM) capabilities enabled for the cloud – which could alert them to inadvertent exposure of cloud data to the public. Worryingly, 75 percent said it was easy to accidentally expose data publicly through the cloud.
A similar survey at Infosecurity Europe in June 2019 covering 300 security professionals said 27 percent of organisations do not know how quickly they could tell if their cloud data had been compromised.
According to the survey by Outpost24, more than 42 percent of security professionals believed their on-premise data is more secure than their cloud hosted data, while 19 percent of organisations only carry out security testing on their cloud environment annually and a staggering 11 percent never run any security testing at all.
“The cloud offers organisations huge benefits in terms of cost savings and scalability. However security in these environments should never be overlooked,” said Outpost24 VP Bob Egner. “Organisations should treat their cloud assets just as they would their on-premise assets and apply all the same security principles of vulnerability and application security assessment, plus checks for cloud misconfigurations and security posture.”
The Amazon Web Services (AWS) official policy states that it will ensure that only authorised parties have physical access to their data centres and will run the related network security appliances, such as IPS devices, IDS devices and firewalls. It also monitors logs for security alerts and address any related issues of the security of the network itself.
However, code put in by the customer company does not belong to Amazon. If there is a vulnerability in the company code and a hacker exploits it, the company will be held responsible.
“While cloud providers may take responsibility for securing their infrastructure, moving to the cloud doesn’t absolve you from the responsibility of protecting your own data. The cloud doesn’t magically protect the data and systems that you put in there,” wrote Tim Erlin, vice president of product management and strategy at Tripwire, in an email to SC Media UK.
“There’s a new incident reported every few weeks that stresses the need to extend basic security controls to cloud environments. Organisations need to ensure they’re implementing critical security controls regardless of where the systems reside,” Erlin added.
And unsecured cloud servers that hold detailed customer information, such as the one at Teletext, are the lowest-hanging fruits for data-sellers.
“Data breaches involving personally Identifiable Information (PII) provide cyber-criminals with a treasure trove of information that could be used to carry out identity fraud, phishing or targeted email attacks,” said Securonix EMEA VP Robert Ramsden-Board.
“The lack of cyber-hygiene demonstrated here tells us a lot about current cyber-security culture and organisations need to make sure that any sensitive data is stored on secure servers,” he added.
Outpost24’s Egner agrees.
“It is extremely important to understand the shared responsibility model and what cloud service providers such as Amazon Web Services (AWS) and Microsoft Azure can and cannot offer in terms of security, as ultimately the responsibility of protecting your data and cloud workloads lies with you, the organisations using the cloud services,” he said.
This article originally appeared in SCUK written by Chandu Gopalakrishnan.
