News

Configuration Error Leads to Another Amazon Web Services Data Breach

The records of nearly 200 million U.S. voters were compromised.

• By David Ramel
• 06/21/2017

As so often happens, a simple misconfiguration has resulted in the compromise of hundreds of millions of private data records.

In this case, it was information on American voters, and was easily avoidable.

Multiple security reports recently revealed the dangers of cloud computing misconfigurations, resulting in vulnerabilities that have again manifested in the real world as personal information about nearly 200 million voters was left exposed on an Amazon Web Services-hosted S3 bucket.

Security firm UpGuard Inc. discovered the data left exposed by Deep Root Analytics, a Republican data firm working for the Republican National Committee (RNC).

"In total, the personal information of potentially near all of America's 200 million registered voters was exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as 'modeled' voter ethnicities and religions," said UpGuard in a post that was updated yesterday.

Misconfigured cloud-based data stores have resulted in many vulnerabilities and threats, such as the recent spate of ransomware attacks targeting MongoDB databases, Elasticsearch repositories and other sources.

The misconfiguration problem has since been publicized by security firms seeking out such vulnerabilities, and UpGuard security analyst Chris Vickery discovered the exposed voter data while searching for just such open cloud repositories.

Deep Root Analytics' data repository was an AWS S3 bucket, which didn't have any access protection.

"As such, anyone with an Internet connection could have accessed the Republican data operation used to power Donald Trump's presidential victory, simply by navigating to a six-character Amazon subdomain: 'dra-dw,'" UpGuard said. There was no mention of proof that attackers downloaded any data for nefarious purposes.

The UpGuard report was just the latest in a string of such announcements, including:

• In April, an analysis of AWS cloud usage by Threat Stack Inc. revealed widespread critical AWS security misconfigurations affecting nearly three-quarters of more than 200 surveyed organizations.
• In May, RedLock Inc. published a research report finding many security issues primarily caused by user misconfigurations on public cloud platforms, with AWS figuring prominently.
• Earlier this month, Appthority published investigation results that found nearly 43 TB of enterprise data was exposed on cloud back-ends, including personally identifiable information (PII).

The finding by UpGuard resulted in a post about "AWS S3 Bucket Provisioning."

"Amazon's Simple Storage Service (S3) storage buckets are notorious for being left unlocked to the public, even by some of the world's largest companies," the post said. "This can result in a massive data breach, if the bucket was holding a corporate database, customer list, or other large collection of sensitive information. And it has. Although the misconfiguration itself, a simple permission, is quite small, its implications can be disastrous."

It took Vickery several days to download some 1.1 TB of data from the unsecured data warehouse, an amount of data equal to 500 hours of video.

"Despite the breadth of this breach, it will doubtlessly be topped in the future -- to a likely far more damaging effect -- if the ethos of cyber resilience across all platforms does not become the common language of all Internet-facing systems," UpGuard said.