Security researchers yet again found misconfigured AWS S3 buckets that exposed data publicly, and this time the files belonged to a data management firm used by many major enterprises, including Ford and TD Bank.
Cyber risk management firm UpGuard discovered three publicly accessible AWS S3 buckets belonging to Attunity, a data management firm based in Israel. The Attunity data totaled approximately 1 TB in size “including 750 gigabytes of compressed email backups.” According to the UpGuard Data Breach Research team, the exposed Attunity data contained both internal documents and documents from third-party clients, such as Ford, TD Bank and Netflix.
“Exhaustively documenting the files associated with each of thousands of companies is not feasible or necessary for the research team’s purpose of raising awareness of the risk of data leaks,” UpGuard researchers wrote in a blog post. “Attunity’s business is to replicate and migrate data into data lakes for centralized analytics. The risks to Attunity posed by exposed credentials, information, and communications, then are risks to the security of the data they process. While many of the files are years old, the bucket was still in use at the time detected and reported by UpGuard, with the most recent files having been modified within days of discovery.”
Attunity was acquired by Qlik Technologies Inc., a data analytics firm based in King of Prussia, Pa., on May 6. UpGuard discovered the data on May 13 and notified Attunity on May 16. Qlik agreed to purchase Attunity in mid-February but the company declined to comment on whether or not a security audit had been performed at any point. In a statement, Qlik asserted the buckets only contained internal Attunity data and no client data.
“Attunity was notified in mid-May of an issue related to internal company data stored in AWS S3 buckets. Attunity personnel responded quickly to ensure that the data was secured. Attunity customers deploy and operate the software directly in their own environments, and therefore Attunity doesn’t store or host sensitive customer data,” Derek Lyons, spokesman for Qlik wrote in a statement via email. “Following Qlik’s acquisition of Attunity in May, and upon becoming aware of the issue, Qlik applied its security standards and best practices to the Attunity environments, including monitoring by Qlik’s 24×7 security operations center.”
Included in the exposed Attunity data was employee data with names, locations and salaries, an internal email mentioning the breach of the Attunity corporate Twitter account and stating the new password in plaintext, and other credentials. UpGuard did not attempt to use the credentials, so it is unclear if they were still active or what level of access they would have provided. Third-party client data described in the post included a Netflix document with database authentication strings, a TD Bank software invoice and a presentation document from Ford. Qlik declined to comment on the third-party data shown by UpGuard.
Lyons added that an investigation into the Attunity data exposure is under way so it is still unclear how long the buckets were exposed and Qlik has “engaged outside security firms to conduct independent security evaluations.”
“We take this matter seriously and are committed to concluding this investigation as soon as possible. At this point in the investigation, indications are that the only external access to data was by the security firm that contacted us,” Lyons said.
The Attunity data exposure is the latest S3 leak discovered by UpGuard. Past exposures found included data from Facebook, Verizon and the Department of Defense. The news also comes on the heels of the inaugural AWS re:Inforce security conference at which AWS introduced new features aimed at helping customers avoid misconfigurations that could lead to exposures like this.
UpGuard researchers said they hope the Attunity data exposure “provides a useful lesson in the ecology of a data leak scenario.”
“Users’ workstations may be secured against attackers breaking in, but other IT processes can copy and expose the same data valued by attackers. When such backups are exposed, they can contain a variety of data from system credentials to personally identifiable information,” researchers wrote. “Data is not safe if misconfigurations and process errors expose that data to the public internet.”