Another Day, Another Company Leaving Sensitive User Data Exposed Publicly On The Amazon Cloud
from the dysfunction-junction dept
What is it about companies leaving consumer data publicly exposed on an Amazon cloud server? Verizon made headlines after one of its customer service vendors left the personal data of around 6 million consumers just sitting on an Amazon server without adequate password protection. A GOP data analytics firm was also recently soundly ridiculed after it left the personal data of around 198 million citizens (read: most of you) similarly just sitting on an Amazon server without protection. Time Warner Cable also recently left 4 million user records sitting in an openly-accessible Amazon bucket.
You’d think that after all of this press attention fixated on a fairly basic (but massive) screw up, that companies would stop doing this. But you’d be wrong.
The latest company to fail at fundamental security practices is California’s Bank of Cardiff, which managed to leave millions of phone recordings made by employees — you guessed it — in an unsecured Amazon cloud bucket open wide to the general internet. Many of the phone recordings exposed include bank employees talking with customers about sensitive financial transactions:
“Many of the calls appear to be Bank of Cardiff employees phoning up individuals the bank has discussed loans with, or attempting to offer them one. One call includes a potential customer discussing their plans for obtaining financing either from Bank of Cardiff or a competitor. In another, an employee contacts a company focused on industrial equipment; Motherboard identified the company because of its hold music which includes the firm’s website. The company did not respond to a request for comment. In a third call, an employee contacted a company about a business loan.”
Yeah, whoops-a-daisy. The practice by lazy and/or incompetent companies has basically made a career for folks like UpGuard cyber risk analyst Chris Vickery, who has spent the better part of the last few years searching and exposing companies that can’t be bothered to secure their cloud accounts. But again, it’s absolutely incredible given the media exposure of this basic gaffe that every company on the planet hasn’t done an audit to make sure their brand isn’t the next one in lights for security incompetence.
Bank of Cardiff has yet to issue a public statement on the exposure, but it did finally lock down access to the data trove once journalists and security researchers (once again) did their jobs for them.