News & Comment: Thousands of US voters’ data exposed by robocall firm

COMMENT:

Pravin Kothari

Pravin Kothari,  CEO of cloud security vendor CipherCloud, offered the following insights into this story:

In February 2016, the Top Threats Working Group of the Cloud Security Alliance® published the first edition of a comprehensive report on “Cloud Computing Top Threats.” Not surprisingly, human error, misconfigurations and procedural errors by cloud personnel were identified at that time as events which could lead to a serious data breach.

History Keeps Repeating Itself

The robocalling firm is in the good and perhaps unfortunate company of many major firms who have accidentally exposed confidential and sensitive data being stored in cloud services unprotected.  Some recent and similar examples of this sensitive data being accidentally shared and made available to the public include:

• In November, 2017 it was reported that the Pentagon accidently shared 1.8 Billion intelligence data objects in a database based on mis-configured Amazon S3 storage permissions.  The information exposed which goes back as far back as 2009, is held by U.S. Central Command (Centcom) and U.S. Pacific Command (Pacom).
• In October, 2017 it was reported that Accenture inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers.  The servers, hosted on Amazon’s S3 storage service, contained hundreds of gigabytes of data for the company’s enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.The data could be downloaded without a password by anyone who knew the servers’ web addresses.
• In September, 2017 it was reported that two cloud-based data repositories managed by BroadSoft Inc. which contained sensitive customer information were configured to enable public access, leaving the information exposed.  Among the data exposed to public access was a “User Profile Dump” dated 7 July 2017 that contained “more than 4 million records, with Transaction ID, usernames, Mac addresses, Serial Numbers, Account Numbers, Service, Category details, and more. Other databases also have billing addresses, phone numbers etc., for hundreds of thousands of Time Warner Cable customers.
• Earlier this year in February, 2018 it was reported that an affiliate of FedEx exposed the personal information of tens of thousands of users.  The information, which included 119,000 scanned documents such as passports, driver’s licenses, security IDs and the like, was stored on an open S3 server belonging to Bongo International, a company FedEx purchased in 2014 and which became part of the shipping firm’s now-shuttered FedEx CrossBorder service.  “IDs were accompanied by scanned “Driver Applications” – which also contained names, home addresses, phone numbers and zip codes.

Who’s Responsible?

Ultimately customers are responsible to protect their own data – not the cloud provider. At some point, most services on the internet will be penetrated and compromised. All of these breaches could have been avoided and of little consequence if, and only if, the data was end-to-end encrypted. When end-to-end encrypted, even under most tough compliance regulations, if the data is stolen or accessed it is not considered a breach as it is unusable to the cyber attacker. Even the encryption offered by cloud providers is just not enough to protect data. End-to-end encryption prevents against all attacks because it is implemented at the edge of the enterprise. API attacks, misconfiguration, malicious cloud personnel, whatever, it won’t impact the safety of end-to-end encrypted cloud data. Regardless of the problems at the SaaS or cloud provider end, your data would be safe.”