by Lisa Vaas
Yet more sensitive data has been left lying around in the cloud.
The Dow Jones Watchlist, which details purportedly dicey executives, their dicey buddies and their dicey businesses to aid organizations in their due diligence, was discovered in an Amazon Web Services (AWS)-hosted Elasticsearch database that somebody forgot to slap a password onto.
Independent security researcher Bob Diachenko last week reported finding a copy of the Watchlist on a public server, open for any and all takers.
All it needed to find the unsecured database was for somebody to run an Internet of Things (IoT) search with one of the publicly available IoT search engines.
The researcher reported his find to the Dow Jones security incident response team last Friday (22 February). Fortunately, the team was on it the same day, taking the database down and issuing this statement:
This data is entirely derived from publicly available sources. At this time our review suggests this resulted from an authorized third party’s misconfiguration of an AWS server, and the data is no longer available.
The exposed database contained 2.4 million records. A Dow Jones spokesperson told Tech Crunch that an “authorized third party” was to blame for the exposure: in other words, it sounds like a paying customer put the records online without securing them.
It might well have been information derived from publicly available sources, but that doesn’t mean it wasn’t sensitive data, conveniently pulled into one repository that includes people’s alleged criminal histories and possible terrorist links. The Watchlist’s names and connections are regularly updated by a Dow Jones research team.
This is a useful repository for businesses. If you’re a big bank, you’re a big target, and, for both legal and branding-linked reasons, you don’t want …
Author: Lisa Vaas