Insider Threats In Review November, The Month of 'Ooops'
The headline starts “Another misconfigured Amazon S3 server leaks data…”.
Oops #1: On the 2nd of November, 50,000 Australian employees were left unsecured by a third-party. Records including full names, passwords, salaries, IDs, phone numbers, and some credit card data were left exposed. It included the following:
- Insurer AMP was the most impacted with 25,000 staff records leaked
- Utility UGL was affected to the tune of 17.000 records
- Rabobank lost 1,500 pieces of information
- Federal Government of Australia suffered around 4,770 records leaked
Oops #2: On the 16th of November, once again a misconfigured Amazon S3 server leaks Australian Broadcasting Corporation (ABC). Thousands of emails, login credentials, ABC Commercial users hashed passwords, and media producers' requests for licensed content were exposed.
Oops #3: On the 17th of November, Information collected by the United States Department of Defense, including two Pentagon unified combatant commands, was left exposed online for anyone to access. The databases belonging to the U.S. Defense Department contained at least 1.8 billion internet posts scared by intelligence services from news sites, comment sections, web forums and social media including Facebook
Here are some other recent Amazon S3 data leakages:
- On June the 1st, Top defence contractor Booz Allen Hamilton leaks 60,000 files, including employee security credentials and passwords to a US government system via publicly accessible Amazon Web Services server;
- On the 8th of June, a Verzion partner misconfigured cloud-based file repository (Amazon S3 bucket) exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers ;
In almost all cases, the key reason was that companies, through their staff, left Amazon S3 "buckets" configured to allow "public" access. This means that anyone with a link to the S3 server could access, view, or download its content.
This is not an endemic problem of the entire Amazon S3 ecosystem. This is problem with staff education.
Oops #4: On the 24th of November, About 110 Bank of Ireland staff were affected by a data breach earlier this year where their pay and benefits were mistakenly circulated internally.
Oops #5: On the 25th of November, Australia's Department of Social Services has notified 8,500 of current and former employees that their personal and financial data has been breached and exposed for over a year. This time, the data was managed by a third-party contractor called Business Information Services (BIS) and that the sensitive data was left exposed from June 2016 until October 2017.
What Can We Learn From This?
When conveniences and productivity are chosen over security, employees put sensitive data at risk most of the time.
Given that we are all very busy, stressed and over burden with tasks, employees will often work around controls, especially ones they feel are onerous as a way to make their job easier. It’s called “the path of least resistance”.
What is interesting, is that most employees do not want to willingly violate security policies, but the reality that they are looking to cut corners due to work pressure demands.
Is it any wonder, why according to a CEB study, 90% of employees violate data breach prevention policies? Is it any wonder, why we continue to see data breaches as a result of configuration error?
Something to Think About
In Verizon 2015 Data Breach Investigation Report, suggested that 90% of all incidents - are people. Whether it’s goofing up, getting infected, behaving badly, or losing stuff…
It’s a common saying that any organisation’s great assets are its employees. Yet recent events show that the employees may also pose the biggest challenge for employers.
It’s time that we address the “human” element of risk, rathe than looking for another silver bullet solution.
More Insider Threat Articles
To find more articles relating to Trust and Insider Threat, visit http://commsnet.com.au/resources/articles
Looking to Protect Your Business from Insider Threats?
Why not schedule a free one hour consultation with an Insider Threat Specialist by Clicking Here
Download Our FREE Insider Threat E-book
Download our latest Insider Threat E-Book from our website - http://commsnet.com.au/resources/download-the-book