Storing files on public cloud services is one of the most secure ways to protect your data, so long as you actually secure it.
A contractor working for Verizon exposed 14 million customer records, including phone numbers and PINs that would grant account access, after leaving the data unprotected on one of Amazon Web Services’ servers, ZDNet reported Wednesday. That contractor, who is most likely no longer working for Nice Systems, set up an AWS S3 server to store the records as part of a project they were working on for Verizon, but left the information “downloadable by anyone with the easy-to-guess web address,” according to ZDNet.
If you listen to cloud vendors talk about cloud security, you’ll almost always hear them say something along the lines of “cloud security is a two-way street.” It’s part of the social compact of cloud computing: cloud vendors like AWS, Microsoft, and Google can afford to hire the best security talent in the industry, which your company can’t do, but in exchange for having access to that talent, cloud computing customers need to take a few basic precautions.
When you set up an S3 account and “bucket” (the term AWS uses for file storage), AWS actually sets the default permissions for that file as private, which means whoever left the records exposed had to override that default setting. There certainly are reasons why a contractor would want to grant access to these records to at least a few people, but it’s hard to think of a valid reason why a contractor would need to expose customer data to the entire world.
Verizon told ZDNet that it believes no one actually accessed the data, and the data didn’t contain truly sensitive information like social security numbers or bank accounts, but it’s a wake-up call to anyone using cloud storage. After all, you can’t blame ADT after your house gets robbed because you forgot to turn on the alarm and left the doors unlocked.