The GOP, the WWE, and Verizon don’t usually all wind up mentioned in the same sentence. And yet, they all have to be, because within a month of each other, they’ve all made the same stupid error that leaves your data exposed to everyone on the internet. What’s going on, and why are so many companies making the same dumb mistake?
This isn’t a minor issue. The GOP leak alone exposed data on 61% of Americans from their Reddit activity to their voting records, and the Verizon leak leaves anyone who called their customer service line vulnerable to hackers who can use their PIN to breach the two-factor authentication used by banks and other companies to protect finances and other important data. The data leaked has included names, phone numbers, voting records, personal preferences, access PINs, and a litany of other information.
Each of the three cases we linked involve an Amazon S3 storage server (although it’s important to note that Amazon is not at fault here). You might think of Amazon as the place where you buy stuff, but the company keeps the lights on and the Whole Foods mergers funded by selling web services. Amazon’s simple storage servers are popular because they’re flexible, powerful, and you don’t need a particularly in-depth knowledge of computer systems to make use of them. They’re commonly used to store data, even sensitive data, because they’re easy to access remotely.
The mistake comes in with a security setting. It’s a small permission, one that asks if you want to make the data “public” or “private.” The issue is that too many people seem to think “public” means “only available to anybody in the company.” It doesn’t. While you’re unlikely ever find the URL to an Amazon S3 server on Google, it’s painfully easy to find them using the search engine SHODAN, which scours the internet for hidden URLs. This allows researchers and hackers access to an enormous number of internet-connected items, from Amazon S3 servers to security cameras; many, many devices connect to the internet simply by having their own web address.
Accessing these items is rarely complex if they haven’t been properly secured. In fact, it’s so easy, if your webcam isn’t securing, somebody willing to shell out $28 for an app could be looking through it right now. But the data breach is the most worrying because it’s the most dangerous and the easiest to fix. So why does this keep happening?
One clue is that there tends to be a third party involved, usually an independent contractor hired to handle data or customer service, and they use the bucket without bothering to check the settings. Or perhaps they misunderstand the settings. But, in the end, there’s no buck to pass here. Some companies try to blame Amazon, but that’s like a drunk driver insisting the company shouldn’t have sold him a car. When we decide to work with Verizon or any other company that’s supposed to store our data, there’s an implicit obligation that they protect our data as well. We’re the ones at risk when data leaks. If our safety isn’t protected, we’ll need to think hard about who we give our data to, and what we’re willing to surrender.