A misconfigured AWS cloud storage account has resulted in a data leak affecting thousands of retail customers.
In total, 9,500 files on around 567,000 users, or 20GB of data, were exposed, including personal details. These included full names, physical addresses and purchase details, and some users had their email addresses and phone numbers exposed, although no payment details were found.
The data spans from 2019 to the present, indicating the database contained up-to-date information on its users.
According to research from tech advisors WizCase, a leaky Amazon S3 bucket connected to a Turkish cosmetics company, Cosmolog Kozmetik, was responsible for the data breach.
Amazon S3, or Simple Storage Service, is a cloud storage service offered by Amazon, with data being stored in unique locations, dubbed buckets, similar to a folder.
The researchers warned that the company is present on several e-commerce platforms – as such, customers who ordered from the company on one of these platforms may have had their data leaked without their knowledge.
WizCase warned that the large number of personally identifying information exposed by the leak puts victims at risk from fraud. Cyberattackers can use email addresses to send people links to malicious websites where their credit card details can be stolen.
With access to a plethora of information, these emails can be tailored specifically to each individual, making them appear more trustworthy, such as referencing a specific order.
These could take the form of common refund scams. In addition, with tracking information, criminals can track shipments to users’ addresses and steal orders as they arrive.
“For future purposes, we recommend always inputting the bare minimum of information when making a purchase or setting up an account on the internet. The less information you give hackers to work with, the less vulnerable you are to attack,” the researchers said in a statement.
WizCase said it had contacted the Turkish CERT, Amazon and Cosmolog Kozmetik to notify them of the breach, although the group said none had replied at the time of writing.
- GDPR and the Cloud | How Brexit will affect data storage
- XpoNorth 2021 | How is technology boosting the creative industries?
- Live facial recognition must respect privacy, Information Commissioner states
In a similar incident, WizCase researchers found another cloud data leak from a misconfigured and unencrypted Amazon S3 buckets. The breach exposed the emails, passwords, and full names of nearly a million users of various e-learning websites
Another open Amazon S3 bucket exposed the personal information, including full names, email addresses, and phone numbers, of 9,500 users of American apartment home-sharing platform Niido, the researchers found.
These leaks serve as a reminder that, even when a company’s data is hosted on the cloud, they are still responsible for ensuring it is secure and encrypted. Failure to do so not only puts a company’s users at risk, it opens the business to the prospect of a fine under data protection regulations.
Join the Debate: Cloud First Summit
While the Cloud offers many benefits, storing data on a publicly accessible system comes with risks. This will be a key topic for discussion at the Cloud First Summit, held virtually on the 23rd of June.
For more information and details on how to register for your free place at the Summit, please visit: www.cloudfirstsummit.com