Massive Data breach at the ABC

November 17, 2017 |

To those who think the cloud is the answer to their security prayers think again. Vulnerabilities in a cloud service occur often enough.  Flaws in service provided by third party providers are a chronic problem.  The onus still remains with the party that collects the data but too many organisations assume that once it is stored via a third party provider, such as in the cloud, that responsibility disappears. Often times data in the cloud is not encrypted or otherwise protected.  ABC has learned these and a few other lessons with a data breach in its cloud services, being a misconfigured storage bucket, according to the the Australian article ABC caught in massive data leak. That data seems to relate mainly to commercially sensitive data, bad enough, but also some user names and passwords.The BBC recently discovered that a work tool, Huddle, prepared by a third party provider had a security flaw that allowed a BBC journalist to sign into a KPMG account with full access to private financial documents.  Ouch!

As is commonly the case data security firms, here Kromtech Security Center, discover the weakness and notifies the victim. They become the good netizen while burnish their credentials.  While the victim takes a bit hit to their reputational damage.  And it is very embarrassing for the ABC, even though the problem was fixed.

The article provides:

The ABC has leaked a trove of sensitive data, including usernames and passwords, due to a vulnerability in its cloud services, a security firm says.

The Kromtech Security Center reported overnight ABC Commercial — the broadcaster’s retail, sales and publishing arm — accidentally leaked sensitive data including information regarding production services and stock files.

Researchers found several thousand ABC emails, logins and passwords, including what Kromtech said was for “users who are well known members of the media”, as well as 1,800 daily database backups and requests for licensed content, as sent by TV and media producers from all over the world to use ABC’s content and pay royalties.

“Anyone with an internet connection [would have] the ability to browse their sensitive data using nothing more than a web browser,” Kromtech said.

The culprit was a misconfigured Amazon Web Services S3 storage bucket, which has also led to similar leaks at other customers including Accenture and Verizon. AWS warned customers in July to properly configure their S3 buckets.

Kromtech said the researchers immediately sent notification emails to ABC’s IT team, and the vulnerabilities were secured “within minutes.”

Security researcher Troy Hunt told The Australian the ABC has joined a growing list of organisations affected by the issue.

“This is something we we’re starting to see pretty frequently,” he said. “Part of the painful thing about this is it is so easy to do, you’re one setting away from your data being totally public or not. The challenge now will be working out who else has obtained this data?

“AWS has provided a tool that’s so easy to use and so efficient that anyone can use it, so this might be a case of someone setting it up over too many beers, who knows.”

Bob Diachenko, Head of Communications, Kromtech, said this is another warning for ABC to take cyber security seriously and audit all servers, repositories, and backups regularly.

“The most unfortunate part is that the issue occurred due to human error and not a malicious attack.”

It seems like every few days there is yet another data breach, ransomware threat or a new security flaw and companies or organisations must do more to be proactive in how they store sensitive data online,” Mr Diachenko added.

“Security cannot be ignored anymore and it’s not just an organisation’s reputation but the real data of customers, partners, or vital business information that is at stake with each new data breach”.

The breach is not the first for the ABC, which was reportedly hacked in 2013 with details of around 50,000 users — including email addresses and passwords — leaked online.

“The ABC has confirmed that it was notified of a data exposure on 16 November,” an ABC spokesman said.

“ABC technology teams moved to solve this issue as soon as they became aware.”

Of course this is not the only data breach of note in the last little while.  Yesterday the Washington State Department of Social and Health Services admitted to sending a spreadsheet containing private information of 515 patients at Western State Hospital to a wrong email address.  And on the other coast of the United States the social security numbers of 2,100 Maine foster care participants were posted on line when a contractor posted information outside the Maine Government system onto a third party website.

Leave a Reply