News broke this week that sensitive data was exposed yet again. Remember our running analogy, “we are living in the cybersecurity version of the movie Groundhog Day?” It feels like the same day, the same problem, the same leak over and over again. Too often now we hear about S3 bucket leaks (Fed Ex, Alteryx, National Credit Federation, Verizon, Australian Broadcasting Corporation, Dow Jones, Deep Root Analytics, Robocent, Macy’s, Adidas, etc.) that have exposed sensitive, personal information for hundreds of millions of people from around the world. This epidemic has seen the theft or loss of more than 9 billion data records in the last five years.
So what happened this time?
GoDaddy, one of the world’s top domain name registrars with over 18 million customers, was discovered to have files containing detailed server information, stored in an unsecured S3 bucket. According to the report from cybersecurity firm Upguard, the exposed documents include high-level configuration information for tens of thousands of systems and pricing options for running those systems in Amazon AWS, including the discounts offered under different scenarios.
Mallory Locklear, Engadget, reported that UpGuard notified GoDaddy of the discovery shortly after uncovering the exposed storage bucket, but GoDaddy didn’t secure the information for over five weeks. In that time, when checking up on the progress of his report, it was said that it’s typical for there to be a delay following security reports such as this one.
It seems in this instance that Amazon itself was the cause of the exposure. “The bucket in question was created by an AWS salesperson to store prospective AWS pricing scenarios while working with a customer,” an AWS spokesperson told Engadget. “No GoDaddy customer information was in the bucket that was exposed. While Amazon S3 is secure by default and bucket access is locked down to just the account owner and root administrator under default configurations, the salesperson did not follow AWS best practices with this particular bucket.”
Even though GoDaddy’s publicly exposed S3 bucket seems to be the fault of their cloud provider, there are still potential risks, for example, did anyone else access their information outside of UpGuard in the five+ weeks their S3 bucket remained exposed?
“One could arguably say that GoDaddy hosts a fifth of the internet,” UpGuard reported. “And a successful attack on its systems could potentially disrupt global internet traffic.”
In the movie Groundhog Day, Bill Murray is trapped in a time loop, where escape is only possible after accumulating knowledge through multiple passes. Companies should have plenty of knowledge on S3 bucket leaks now, so instead of waiting 34 years (estimated amount of time Murray spent in the Groundhog Day time loop), organizations should invest in learning from their peer’s mistakes and immediately put cloud security into the forefront of development plans.
You can stop S3 bucket leaks today with one easy step: install DivvyCloud.
In about 15 minutes, you can install DivvyCloud, connect your cloud (AWS, Azure, and GCP) accounts, quickly see S3 buckets that are misconfigured, and then turn on real-time continuous automated remediation of misconfigured buckets.
Make S3 bucket leaks a thing of the past (now and forever). Install DivvyCloud today with a free 30-day trial and make sure your company never makes the news for an S3 bucket leak.
DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.