pogonici - Fotolia

Another misconfigured Amazon S3 bucket exposes 48M records

News roundup: A misconfigured Amazon S3 bucket led to the exposure of 48 million records collected by a private data analytics firm. Plus, PCI SSC updated its cloud guidelines, and more.

A data collection firm inadvertently exposed 48 million records containing personal information scraped from social media sites.

Chris Vickery, the director of cyber risk research at UpGuard Inc., a cybersecurity company headquartered in Mountain View, Calif., uncovered the latest data exposure through a misconfigured Amazon Simple Storage Service (S3) bucket. The repository belongs to LocalBlox, a data collection company based in Bellevue, Wash., which gathers its data from publicly available sources, such as Facebook, Twitter, LinkedIn and the real estate website Zillow, and uses that data to create profiles on consumers.

These consumer profiles are stored in misconfigured Amazon S3 buckets, which have been notoriously mishandled by the organizations that use them. The 48 million records exposed by LocalBlox included names, physical addresses, birthdates, Twitter handles and data scraped from LinkedIn and Facebook, according to UpGuard, which confirmed with LocalBlox that the leaked repository does belong to the data collection company. The exposure also leaked information about internet usage.

"The database appears to work by tracking an IP address, matching collected data to that IP address when able, and, thus, providing a clearer image of the behavior and background of the user at that IP address," UpGuard explained in a blog post.

Vickery, who is responsible for unearthing a long list of companies who have fallen into this same trap and misconfigured Amazon S3 buckets, accidentally exposing sensitive data, discovered LocalBlox's error in February. The company had the setting fixed within a day of the UpGuard team alerting them to the issue.

The misconfigured Amazon S3 bucket was located at a subdomain named "lbdumps" according to UpGuard, and contained a compressed file that held a 1.2 terabyte newline-delineated json file (ndjson). The ndjson file is where the 48 million records were kept -- publically accessible and downloadable.

Some of the data stored in that file was obtained using Facebook's search feature, which was recently disabled by the social media company for these types of abuses.

"This data highlights the ease with which Facebook data can be scraped, and the ubiquity of Facebook information in psychographic datasets," UpGuard said in its blog post, adding, "The exposed data wasn't just a customer list, but the very product LocalBlox offers. Their value statements about the power of their data provide some insight into exactly why exposing such data is extremely dangerous."

LocalBlox's website says it collects consumer data because of the "need for deeper, more accurate data" about people and business in order to effectively compete in the market.

The recent debacle surrounding Cambridge Analytica and Facebook have brought extra attention to this data exposure.

"The presence of scraped data from social media sites like Facebook also highlights an important fact: all too often, data held by widely used websites can be targeted by unknown third parties seeking to monetize this information," UpGuard wrote. "In such cases, both a targeted website like Facebook and any affected users are being victimized, as personal information entrusted to the social network is snatched up for the benefit of a platform of which no one is aware."

In other news:

  • The PCI Security Standards Council (SSC) updated its guidance on cloud computing. The PCI SSC Guidelines for Secure Cloud Computing was last updated in 2013. The latest update includes new guidance on compliance challenges with PCI DSS, roles and responsibilities, and understanding the scope of cloud environments. The update also includes "expanded guidance" on incident response, and new guidance on vulnerability management. The PCI SSC guidelines include some new technologies like software-defined networks, containers, fog computing, desktop virtualization and the internet of things -- as well as how they impact compliance with PCI DSS. Notable changes for vulnerability management include adding the testing of web applications, internal networks and pen testing.
  • Google reportedly plans to add new security features to Gmail, including self-deleting email and a confidentiality mode that would prevent email messages from being forwarded or printed. These features, however, may prove difficult for email sent to or from a different email platform. Messages sent between Gmail accounts should not have any issues, but if one party is not a Gmail user, the email will instead have a link to the actual message. The link reportedly will allow Google to control what happens to the email. Google will also allow Gmail users to require a passcode to open email messages, which will be sent over SMS. It's unclear whether or not these security features will be free with Gmail, or come as a paid service.
  • The Food and Drug Administration (FDA) has released an action plan to make medical IoT devices more secure. Released this week, the "Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health" aims to "advance medical device cybersecurity." One such advancement is to call on developers building medical devices to include cybersecurity measures in the design and development phases. This would require developers to build medical devices that can be more easily updated or patched in order to deny hackers access to the devices through security vulnerabilities. The FDA will also continue to work with the Department of Homeland Security to share security risk information that will then be shared with those in the healthcare IT industry.

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing