Bad data governance can pose significant risks to virtually any organization in any industry. But for an enterprise at global scale, the consequences can be huge.
That's the issue facing one multinational security company that left highly sensitive data in one of its Amazon S3 buckets exposed, allowing anyone to access nearly 3 TB of company data without authentication.
The company, which is a world leader in security products and services, used the misconfigured bucket to store approximately 1.5 million files containing information relating to its employees and business operations. Was there any way this exposure could have been avoided?
This post discusses the key facts of the story, the likely impact of the breach, and how data governance solutions like Cloud Data Sense can help bolster security postures to help avoid such crises.
Use the links below to jump down to the sections on:
- What Information Was Exposed and When?
- Impact of the Breach
- How Cloud Data Sense Reduces Risk of Exposure
- Multi-Purpose Data Governance Solution
What Information Was Exposed and When?
The data leak was discovered on 28 October 2021 by SafetyDetectives—a global group of cybersecurity experts, privacy researchers, tech reviewers and ethical hackers—following which the story was widely reported.
The organization found photographs of ID cards of airport and Securitas staff based in Colombia and Peru. These showed personal information about employees, such as their names, photos, job roles and national ID numbers.
ID card of a Colombian Civil Aviation Authority employee: Source: SafetyDetectives
It also found other potentially sensitive information in photos of aircraft and luggage in baggage handling areas. Some also included sensitive data about other aviation industry companies associated with Securitas.
Furthermore, the photos contained exchangeable image file format (EXIF) metadata, such as the time, date and GPS locations of when and where the photos were taken.
In addition to data relating to airports in Colombia and Peru, SafetyDetectives believes sensitive information in connection with the security firm's services to numerous other industries has potentially been exposed.
Impact of the Breach
SafetyDetectives said it reported the issue to both Securitas and Sweden's Computer Emergency Response Team (CERT) on 28 October 2021. Securitas then closed the bucket five days later.
However, SafetyDetectives said it didn't know how long the bucket had been left open before it discovered the misconfiguration. It was also unable to confirm how many people were affected by the leak or whether the contents of the bucket had fallen into the wrong hands.
It's therefore unclear as to what the full extent of the breach will be on the individuals concerned. Likewise, SafetyDetectives could not confirm how many organizations were affected beyond four identified airports in Colombia and Peru.
Nevertheless, the exposure poses a risk to travelers and airport staff, where security is of paramount concern. Criminals could also use the information to scam airline customers or create fake staff ID cards, through which they could impersonate airport employees in order to steal goods and possessions.
In addition to staff infiltration and reputational damage, Securitas could face sanctions for breaching data protection regulations in both Colombia and Peru, including financial penalties up to the equivalent of US$400,000 and US$122,000 in each of the countries respectively.
How Cloud Data Sense Reduces Risk of Exposure
In a world where bad data governance can easily lead to leaked data and cyberattacks, companies need as much awareness of their data as possible. To improve data governance across any kind of storage environment, NetApp offers Cloud Data Sense.
Cloud Data Sense is a data discovery, classification, and optimization tool that's designed to help you maintain visibility and control over your information assets. It offers a range of features to support your data governance objectives, helping you:
- understand what types of data you store and where it resides
- set data retention policies
- identify and remove stale and duplicate data
- adjust permissions to data
- automatically generate reports on data
It is driven by powerful AI algorithms that provide contextual understanding of data, ensuring accurate discovery and classification of personal information. It supports both structured and unstructured data. And it natively integrates with a wide range of different storage repositories—including Amazon S3.
What makes Data Sense most relevant in this case, is a feature that can help you prevent accidental exposure of sensitive information. You can do this by simply searching for files with insecure file permissions. Alternatively, you can use the Investigation tab, which can show you where your sensitive data is located and whether it is stored in files that are open to the public or to anyone within your organization.
To help avoid a case such as the one discovered by SecrutiyDetectives detailed above, Data Sense provides the tooling it needed to spot such misconfigurations and help prevent exposure of the data in Amazon S3 buckets. Not only that, but it can do so in less than a minute—without the use of complex tooling or a command-line interface.
Identify files with open permissions in less than a minute
Multi-Purpose Data Governance Solution
Cloud Data Sense provides a whole host of other capabilities to help you understand your data and manage it more effectively. Many of these could've played a similarly important role in helping avoid situations similar to the one Securitas found itself in through data governance shortcomings.
- Data discovery: Cloud Data Sense can help keep admins properly in the picture about the data owned and can reduce the scope for insecure information to slip through the net.
- Data classification: Through this capability Data Sense users can get clear insights into the types of data they store in S3 buckets and can bein a better position to take protective measures accordingly.
- Data ownership: Using the solution's file tagging capability, users are able to assign files to specific people within the company. That way, it’s possible to immediately establish lines of responsibility, allowing quick and efficient collaboration over file permission issues—without having to rely on just the names of files.
- Data optimization: Data Sense helps you identify stale and unnecessary data. This can help determine whether the information stored in S3 buckets is strictly necessary to retain. It can also streamline the data being stored, thereby reducing the impact of exposure.
The Securitas breach is a classic example of bad data governance and one of many high-profile cases of publicly exposed S3 buckets.
But it's important to remember that permission issues aren't just restricted to Amazon S3. They can put data at risk in virtually any type of storage repository.
That's why Cloud Data Sense provides off-the-shelf support for a wide range of different database management systems and storage environments, giving customers easy-to-use data governance capabilities across their entire data inventory.