Slashdot Mirror

← Back to Stories (view on slashdot.org)

Meeting and Hotel Booking Provider's Data Found in Public Amazon S3 Bucket (threatpost.com)

Posted by msmash on from the security-woes dept.

Leaks of personal and business information from unsecured Amazon S3 buckets are piling up. From a report: The latest belongs to Groupize, a Boston-area business that sells tools to manage small group meetings as well as a booking engine that handles hotel room-block reservations. Researchers at Kromtech Security found a publicly accessible bucket containing business and personal data, including contracts and agreements between hotels, customers and Groupize, Kromtech said. The data included some credit card payment authorization forms that contained full payment card information including expiration data and CVV code. The researchers said the database stored in S3 contained numerous folders, below; one called "documents" held close to 3,000 scanned contracts and agreements, while another called all_leads had more than 3,100 spreadsheets containing critical Groupize business data including earnings. There were 37 other folders in the bucket containing tens of thousands of files, most of them storing much more benign data.

19 of 37 comments (clear)

  1. Internet usage needs to be licensed. by Nutria · · Score: 2

    Not just that, but a license to manage every server you manage and/or create. It sure would cut down on stuff like this and IoT issues.

    (Except that I'm certain that MSFT would use that as a technique for not licensing OSX and Linux users.)

    --
    "I don't know, therefore Aliens" Wafflebox1
    1. Re:Internet usage needs to be licensed. by Anonymous Coward · · Score: 1

      Internet usage needs to be licensed.

      Well, start with the easy things - there are rules for PCIDSS compliance to accept credit cards.

      Is someone paying a big fine?

      LOL. Of course not...

    2. Re:Internet usage needs to be licensed. by SvnLyrBrto · · Score: 1

      PCIDSS is a contractural requirement required by the credit card companies in order to accept payments. It's not a law enforced by government, such as HIPAA. So no, there could never be a fine for a breach. I guess it's possible that there may be a penalty fee specified in the contract, but that's different than a legal fine. Mostly, you just lose your ability to take credit card payments which would sink many businesses.

      --
      Imagine all the people...
    3. Re:Internet usage needs to be licensed. by AmiMoJo · · Score: 1

      Just impose heavy fines for people who are this grossly negligent. In the UK there is something called the Information Commissioner's Office, which can and does fine companies for this kind of mis-handling of sensitive, personal data.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. Not very good at English either by Anonymous Coward · · Score: 1

    Not very good at English either. In many places on their website, the Groupize trumpets that they can "Reign in your small meetings spend." One presumes they mean "Rein in" and perhaps "cost of small meetings."

    1. Re:Not very good at English either by Anonymous Coward · · Score: 4, Funny

      Sir, I'm going to need you to repeat your words as a syngerized statement.

    2. Re:Not very good at English either by Anonymous Coward · · Score: 2, Funny

      It's ok the small meetings have been synergized, so the needful has been done.

  3. Not S3's fault... by TFlan91 · · Score: 1

    This is no where near the vendors fault, this is 100% end-user error.

    AWS sent an email to us a while ago alerting us to a single bucket (of many) still in use, for an old client running "legacy" code, having public read/write.

    Within 5 minutes of reading the email, which was not requested, the permissions were fixed.

    1. Re:Not S3's fault... by ctilsie242 · · Score: 1

      Part of it is an attitude I've seen with a number of smaller companies is the "lets get this on AWS no matter what." Part of it is that they feel that with no physical operators coupled with a "results oriented" DevOps process, they can completely toss all IT people, except for 1-2 coders present, with the other devs are offshored. Their idea of production is a testing environment after their unit tests, or perhaps after their push into Git.

      Of course, this starts to show when stuff like this happens. Did they even think about it? Maybe for a second, but they were more concerned with finishing their sprint than actual security work, because it is better to drop the ball and get the code done, just so they are not repeatedly yelled at by the PM for the same Jira items.

      In these environments, security has no ROI, so it gets tossed to the wayside.

    2. Re:Not S3's fault... by SvnLyrBrto · · Score: 1

      S3 buckets ARE secure by default. You have to specifically and intentionally open them to the public if your use case requires it. You would know this if you'd used S3 or if, lords of Kobol forbid, you'd bothered to read the article. And using S3 in this case is fairly derpy anyway. Even though it's default private, and can certainly hold encrypted objects; it's primarily intended for data that would be shared with the public. That's why it's so dead-simple to set as the origin for a CloudFront or pretty much any other CDN, and can even function as a poor-man's web server if all you need to serve up is html and client-side javascript.

      tl;dr version:
      Put your damned PCI data on an encrypted EBS volume or RDS database in a private subnet behind a VPC!

      --
      Imagine all the people...
    3. Re: Not S3's fault... by TheRaven64 · · Score: 1

      What about your sharp kitchen knives, do you have to enter an access code before using the blade or do you just go for it?

      My sharp kitchen knives came in a knife block the prevents me from accidentally grabbing the blade. It has handles that protect my hand. If someone sold a knife that had the blade going the full length to where the user was expected to hold it, then they'd be unpopular. Most devices come with basic safety designs and are safe in their normal and intended mode of use.

      --
      I am TheRaven on Soylent News
  4. Re:Nazi Germany has control of the newspapers and by Khyber · · Score: 1

    "making it licensed will lead to a lot of 1st amendment issues."

    Not even, you're still free to speak publicly anywhere else. You need a license in order to travel on specific roads despite the freedom to wander (You need a proper vehicular license and vehicle to go on highways) so why not need a license to get on the information superhighway?

    It would cut down on a huge chunk of stupidity on the internet, as well.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  5. Re:Nazi Germany has control of the newspapers and by Nutria · · Score: 1

    You need a license in order to travel on specific roads despite the freedom to wander (You need a proper vehicular license and vehicle to go on highways) so why not need a license to get on the information superhighway?

    Exactly. Of course, the reactions after Charlottesville makes pretty clear that revoking such licenses would be a pretty powerful way to silence people you disagree with.

    Whatever happened to "Fight Hate Speech with More Speech"?

    --
    "I don't know, therefore Aliens" Wafflebox1
  6. dont blame s3 by CimmerianX · · Score: 1

    Securing a bucket in S3 is not rocket science.... If the company doesn't know how to they should really hire someone to do it.

    How did they even pass a PCI audit with that information?

    1. Re:dont blame s3 by schleimkeim · · Score: 1

      Or they could just not put all their data on someone elses server.

  7. What is missing here... by orlanz · · Score: 1

    What we are missing is the list of hotels that use these guys. Don't need to list all of them, just the big ones. Get enough media attention on big hotel names not keeping personal informantion secure and they will start paying attention.

    It doesn't absolve them of their duties just because they hired a 3rd party. Maybe companies hiring out will pay more attention to details and operations after a few of these hit the news.

    Just listing the party that screwed up means it goes away and another just like it fills the void. The people who took down your info have no incentive to respect its security.

    1. Re:What is missing here... by ctilsie242 · · Score: 1

      If a bank hires a third party security service and the vault gets robbed, the blame will rest with the bank. Same thing. Just by offshoring to the lowest bidder doesn't mean that one's responsibilities are taken care of.

  8. Re:Nazi Germany has control of the newspapers and by Anonymous Coward · · Score: 1

    Or we just let it run its course and it will be self-sanitizing.. The ones that screw up in this way will just go out of existence, or at least pay the cost for it..

    The only thing that should be regulated, if anything, should be that for every CC or personal information (Not name, more in the line of ssn, postal address etc) they leak they should be forced to pay $500 to the person they leaked information about....
    It would result in:
    1. Companies would improve security where they save customer data.
    2. Companies would reduce the amount of customer data they save on their live systems.. It's enough to push the data to some offline system taking care of the orders or store sensitive data fully encrypted (asymmetric encryption of course).

  9. Re:Nazi Germany has control of the newspapers and by Khyber · · Score: 1

    More people out in the streets instead of on the internet would be far more effective speech. Driving them to that is a perfectly usable method.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.