A Cayman Islands investment firm’s backups stored in a Microsoft Azure Blob Storage was not secured properly thus resulting in a potential leak of personal banking information, individual passport data, and other sensitive information.
A researcher discovered the gaping hole left open by the firm’s Hong Kong based IT provider via a special search engine used to index unique URLs. The researcher reported this to The Register, who then reached out to the firm to notify them of the issue.
Interestingly enough, the investment firm disregarded the initial notification from The Register until an employee of the firm was asked to review the email to determine if it was anything more than a phishing attempt. After a review by the employee and an investigation by their IT provider, the issue was identified and corrected.
The firm was identified as having the same level of in-house IT or security expertise as any other small firm whose main business is not focused on technology, not a lot. The firm and its employees were completely unaware of how Azure operated or how their files had been exposed. They completely depended on their IT provider to manage secure their environment.
So, what is the takeaway here?
Solutions like Microsoft Azure Blob or AWS S3 buckets are commonly used to store large quantities of data. Microsoft and Azure and other cloud providers typically provide all the tools required to secure the data however, the consumer of those products must properly configure them to prevent unauthorized access. Because no one at the investment firm was capable of validating that the IT provider configured their environment securely, they exposed the sensitive data of their clients.
While it may seem that the IT provider was negligent, the ultimate responsibility of making sure client data is secure rests with the investment firm. Issues like this can lead to the demise of a firm, or at a minimum cause enough reputational harm that tarnishes them forever.
Elteni has designed various services to keep businesses like this investment firm safe by acting as the independent partner that can assess, recommend, and remediate issues like this. Our Pubic Cloud Assessment Services and virtual Chief Information Security Officer services provide the oversight needed to protect public cloud environments.