Data stored in the cloud by a Sprint contractor, containing hundreds of thousands of phone bills of US citizens, was left exposed and potentially viewable by anyone for an undetermined period of time, it has emerged.
As TechCrunch reports, the cache of data – kept in an AWS bucket, essentially an area of storage in Amazon’s cloud platform – consisted of over 260,000 documents, most of which were phone bills of AT&T, Verizon and T-Mobile customers dating back up to four years in some cases.
The bills contained a whole load of confidential information, as you might imagine, including names, addresses and call histories. Other sensitive material was present alongside the bills, such as bank statements, and even a screenshot of online usernames and passwords for customer accounts.
These buckets should be private, obviously, but can sometimes be misconfigured, with the contents accidentally left open to potential public viewing. In this case it was Fidus Information Security which discovered the exposed data.
The UK-based penetration testing security outfit – which probes and evaluates company networks by launching simulated attacks against them – discovered the bucket and reported the problem to Amazon, which quickly closed the hole, as you would expect.
There’s a hole in the bucket, dear Liza…
Amazon didn’t disclose the name of the owner of the bucket, but by examining a file and subsequently engaging in a bit of detective work, TechCrunch found that the owner was Deardorff Communications, the marketing agency which handles promotions for Sprint.
This tallied with Sprint-branded documents found in the cache of files which indicated that all these phone bills were collected as part of an offer to allow the people in question to switch from their current network provider to Sprint – with Sprint paying off the early termination fee to allow the subscriber to move. This is a common incentive in the mobile industry.
The president of Deardorff Communications, Jeff Deardorff, confirmed to TechCrunch that his marketing company did indeed own the bucket in question, and that public access to it had now been shut down.
He commented: “I have launched an internal investigation to determine the root cause of this issue, and we are also reviewing our policies and procedures to make sure something like this doesn’t happen again.”
He wouldn’t, however, be drawn to comment on whether the folks whom the bills belong to would be informed of the potential exposure of their sensitive data.
With what should I fix it?
Amazon has been busy making plenty of revelations over at its AWS re:Invent 2019 conference, and funnily enough, one of those was the launch of Access Analyzer, a new security tool for customers using S3 cloud storage.
This tool keeps a watchful eye for incorrect configurations of buckets and potentially exposed data, flagging them and making them easy to block with a single click.
Leaky buckets have been a big problem for a large number of organizations down the years, causing plenty of data breaches, and hopefully this security utility will help make these kind of incidents a lot rarer.