Misconfigured AWS S3 Bucket Leads To Dow Jones Customer Data Leaks

Another week, another AWS cloud data leak! Dow Jones has become the newest organization to be affected by a data leakage due to misconfiguration. User error, in other words.

This is the latest in line of data leak incidents on the Amazon Web Services platform.

The frequency is alarming, but so are the organizations.

The Republican National Committee, the WWE, the Department of Defense and Verizon, all have had these data leaks in the recent past — albeit the last two were via third-party contractors. Nevertheless, millions upon millions of records have been affected due to these incidents.

Dow Jones, for example, confirmed that the AWS data leak included details like customer names, email addresses, and some partial credit card numbers. Account credentials or full credit card numbers were not part of this data leak.

The organization claims that this issue affected some 2.2 million customers, but cybersecurity firm UpGuard that found and notified Down Jones about this potential cloud data leakage in early June estimated this number to be closer to 4 million.

All of this information was left exposed in an Amazon Web Services S3 bucket, with its permission settings configured to let any AWS authenticated user download the data using the bucket URL.

Dow Jones says that it has no reason to believe that any of the data was stolen.

But it goes to show that as more and more businesses move the data to the cloud, and adopt the various cloud services, configuration errors like these may become more common. Amazon may add more controls for these companies, but ultimately it comes down to the cloud users themselves.

The ones that are responsible for maintaining the privacy and security settings of their cloud setups.