Unknown persons in on the act! A technician with DXC Technologies accidentally uploaded the AWS private keys of the outsourcing firm on a public GitHub repository.
And hilarity ensued.
This classic fumble resulted in the company having to foot a $64,000 bill as miscreants spin up 244 virtual machines on Amazon Web Services. The company opened up to this incident in a PDF memo sent to staff.
Which revealed the details:
“Various secure variables (cryptographic keys that allowed access to DXC procured Amazon Web Services resources) were hardcoded into a piece of work being shared between multiple teams and with the project architect.
Over a period of four days, the private keys were used to start 244 AWS virtual machines. The cost incurred was $64k (£48,799).”
A member of the technical team with the company created a personal space on the public GitHub repository on September 27, loading the code to this unsecured location, allowing individuals access to use the private keys that were listed there.
It is not yet known who had access to these details, and used them to launch VMs on the Amazon cloud.
Interestingly, DXC had their own monitoring tool, Cloud Checker, which indicated that most of these virtual machines were fired up within 24 hours of the publication of these private keys. The code was actually out there in the open for less than a day before the company removed it.
Nevertheless, the company had incurred additional costs along with the AWS bill, and those being having to change all the variables, usernames and passwords.