The sensitive personal and financial details of nearly 2.2 million Dow Jones & Co. customers were inadvertently exposed due to a configuration error on a cloud storage server, the publication confirmed on Monday. The exposed data included the names, addresses, account information, email addresses and last four digits of credit card numbers of millions of customers, including Wall Street Journal and Barron's subscribers, were accessible online to anyone who had an Amazon Web Services account.
The exposed information that included the names, addresses, account information, email addresses and last four digits of credit card numbers of millions of customers, including Wall Street Journal and Barron's subscribers were accessible online to anyone who had an Amazon Web Services account.
Cybersecurity firm UpGuard, who discovered the exposure and notified Dow Jones in early June, estimated the number of affected accounts were closer to 4 million. Security analysts noted that the data related to the Dow Jones Risk and Compliance data bases, which are mostly used by financial organisations to comply with anti-money laundering regulations, were also exposed in the cloud leak.
UpGuard Director of Cyber Risk Research Chris Vickery found the data inside a repository on Amazon's Simple Storage Service (S3) that was accidentally configured to allow any AWS "Authenticated Users" to access and download the data.
"Per Amazon's own definition, an 'authenticated user' is 'any user that has an Amazon AWS account,' a base that already numbers over a million users," UpGuard researchers wrote in a blog post, noting that registration for an AWS account is free.
"This was due to an internal error, not a hack or attack," a Dow Jones spokesman told The Hill. "We have no evidence any of the over-exposed information was taken."
The spokesman also suggested that the information exposed was not sensitive enough to require notifying customers affected by the incident.
"The customer information included basic contact information; it did not include full credit card or account login information that could pose a significant risk for consumers or require notification," the spokesman said.
However, UpGuard researchers warned that the data exposed could be "exploited by malicious actors employing a number of attack vectors already known to have been successful in the past."
"Customer names, addresses, email addresses, and the smaller amount of phone numbers would be of use to any spammers or digital marketers, but could also be used to far more malign effect", UpGuard researchers said. "With a list of four million subscribers to Dow Jones publications, it is not hard to see how malicious actors could deploy phishing messages against exposed customers.
"Sending official-looking emails purporting to be from The Wall Street Journal notifying customers their subscription had lapsed, or that their accounts had been compromised, malicious actors could have succeeded in convincing such high-value targets to supply credit card information, login credentials, or more."
Researchers also noted that the last four digits of customers' credit cards that were also exposed in the cloud leak could potentially be used by threat actors. They noted that security flaw discovered in 2015 allowed anyone with the last four digits of a Chase or Bank of America credit card number and the victim's phone number could gain access to the account.
News of the exposure comes just a week after Verizon confirmed that a third-party vendor had exposed about millions of subscribers' records on an unprotected Amazon S3 storage server. Earlier this month, WWE confirmed that an unprotected database containing the details of over 3 million users was found stored in plain text on an Amazon Web Services S3 server.
Zohar Alon, CEO of cloud infrastructure security firm Dome9 pointed out that the latest cloud leak marks the "fifth significant misconfiguration in public cloud infrastructure in the past couple of months."
"Dow Jones, Verizon, the WWE, the US voter records and Scottrade leaks each were a result of human error and could have easily been mitigated with proper controls and checks in place," Alon said. "It does not matter if data exposure is malicious in intent for organizations to face stiff penalties for handling sensitive information, which is more reason the recent run on public cloud misconfigurations is something organizations need to address."