How Private Data Became Public on Amazon's Cloud

Photographer: john Lund

Close
Open
Photographer: john Lund

Companies that use Amazon's popular cloud computing service have accidentally disclosed confidential information including sales records and source code, highlighting the risks of moving sensitive data to the Web, according to new research.

Rapid7, a Boston-based security firm, said in a report released today that it found more than 126 billion files posted online belonging to customers of Amazon Simple Storage Service, or Amazon S3, earlier this year. Rapid7 analyzed more than 40,000 of the files, most of which contained sensitive data, the company said.

Among its findings were sales records from a large auto dealership, source code for a mobile gaming company and spreadsheets containing employees' personal information and member lists. Rapid7 said the documents were public because many of Amazon's customers overrode a key security mechanism intended to keep such information private, likely by accident as the result of poorly designed third-party management software. 

It's often the case with security: Simple mistakes can splash confidential data all over the Internet, such as when South Carolina failed to encrypt Social Security numbers in its tax systems and lost millions of records to Russian hackers, or when a low-level employee at RSA pulled an e-mail message out of the junk folder and opened it, allowing in attackers who stole critical data from the security firm.

In the cloud, it's an especially acute concern for companies worried about losing control of their data. Spending on cloud technologies will surpass $130 billion this year, according to Gartner Inc.

"Cloud hosting and cloud storage is all the rage, but there are still some common pitfalls that many organizations overlook," Will Vandevanter, a Rapid7 researcher, wrote in a blog post. 

Amazon said in a statement that the issue did not involve a vulnerability in its service and that the company's technicians routinely reach out to customers to help with misconfigurations. 

"Amazon S3 provides authentication mechanisms to secure data stored in Amazon S3 against unauthorized access," the statement said. "Unless the customer specifies otherwise, only the AWS account owner can access data uploaded to Amazon S3."

The companies affected were not publicly identified, and after Rapid7 alerted Amazon to its research, many of the files were no longer visible. 

The issue Rapid7 discovered was that many Amazon cloud customers disabled the default "private" setting on the "buckets" used to store data in Amazon S3, which is part of Amazon Web Services.

Many of the documents in the public buckets were marked "confidential" or "private," and much of the information could be used to break into online accounts or hack into the companies' computer networks, according to the report.

HD Moore, chief security officer of Rapid7, alerted Amazon of the issue in January. The e-commerce giant then notified customers of the findings and has been "extremely responsive," Rapid7 said.

To contact the reporter on this story: Jordan Roberston in San Francisco at jrobertson40@bloomberg.net

To contact the editor responsible for this story: Marcus Chan in San Francisco at mchan239@bloomberg.net

Bloomberg reserves the right to remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.