Protegrity Blog

Misconfigured AWS S3 Cloud Storage Buckets Continue to Leave Sensitive Data Exposed

Author : Michael Maloney

Data Security DigestAt this week’s AWS re:Invent conference in Las Vegas, one of the key messages heard by the nearly 45,000 attendees was that data security is an area of focus and innovation for Amazon Web Services. From a threat detection service to a data discovery, classification and protection service powered by machine learning, AWS touted several new offerings intended to make business users feel more comfortable about securely using its popular cloud computing platform. And earlier this month Amazon rolled out a series of new security features to its AWS S3 cloud storage service, including encryption by default.

Despite these efforts, some organizations continue to leave sensitive data exposed due to misconfigured S3 cloud storage buckets. In the ZDNet article, “National Credit Federation Leaked US Citizen Data Through Unsecured AWS Bucket,” Charlie Osborne reports that NCF has become the latest in a long list of companies to leave the sensitive, private data of customers exposed for all to see online. The Tampa, Florida-based credit repair firm left 111GB of internal customer information on an S3 cloud storage bucket configured to allow public access without restriction.

In “Classified Pentagon Data Leaked on Cloud,” reports that classified Pentagon data was mistakenly left exposed on an unsecured S3 cloud-storage account configured for public access. The 100GB of data is from a failed joint intelligence-sharing program run by the U.S. Army and National Security Agency in 2013, is likely to have been accessible to anyone on the internet for years.

“It feels like the NSA, the Pentagon, and the White House don’t take computer security very seriously,” said Chris Vickery, the internet sleuth who uncovered this and several other breaches, according to Tristan Greene article in The Next Web, “Yet Another NSA Intel Breach is Discovered on AWS. It’s Time to Worry.”

“This isn’t about the government being at the mercy of superior technology or know-how — it would be excusable if it was,” continued Vickery. “It’s about failing to take the most basic of precautions with data that would only be marked as Top Secret if its nature presented the possibility for the loss of American life if it fell into the wrong hands.”

What are you doing to better protect sensitive data stored in the AWS Cloud? We would love to hear from you. In the meantime, here’s a roundup of other top data security stories making headlines or providing insights for the week ending December 1, 2017:


  • “75% of Employees Likely to Exercise GDPR Rights,” by Nick Ismail in Information Age: The right to be forgotten is a major aspect of the impending General Data Protection Regulation, and it could cause severe headaches for businesses. New research has shown that 75 percent of employees are likely to exercise their right to be forgotten (RTBF). The principle also known as ‘right to erasure’ dictates that an individual can request their data to be removed or deleted when there is no compelling reason for a business to continue processing that information.
  • “GDPR and Data-Driven Collaboration,” by Nick Wood on LinkedIn: To deliver GDPR successfully, clients (data protection authorities, data controllers and data processors) and suppliers with relevant expertise in policy, people, platform and process need to work together.

Healthcare Data Security

  • “Health Data Breaches Lead to $2 Million California Penalty,” by Marianne Kolbasuk McGee in HealthcareInfoSecurity: The California attorney general’s office has smacked Cottage Health System, which operates five hospitals in the Santa Barbara area, with a $2 million settlement in the wake of breaches in 2013 and 2015 that exposed data on about 55,000 patients.
  • “NHS Boosts Cybersecurity with Ethical Hackers & SMS Alerts,” by Steve McCaskill in Silicon UK: The U.K.’s National Health Service hopes a new £20 million cybersecurity team will identify potential weaknesses in its IT infrastructure so pre-emptive steps can be taken to protect patient data from attacks. The new unit will use ethical hackers to spot the vulnerabilities while also monitoring the web for threats that could be used to stage assaults such as the WannaCry ransomware attack that wreaked havoc across the NHS in May.

Retail Data Security

  • “Tokenization’s Value Beyond Payments,” by the editors of com: In addition to securing payments, tokenization can also be used to protect data, where information itself is a form of currency, boosting confidence in confidentiality.
  • “Credit Card Fraud Down 29% for the First Time,” in Help Net Security: For the first time in recent years, credit card fraud has dropped from 59 percent of total fraud found in the 2016 holiday week to 42 percent of total fraud found in 2017 the holiday week. This represents a 29 percent decrease and demonstrates that online retailers are making strides in their ability to identify and prevent card-not-present (CNP) fraud which has been on the rise since brick and mortar retailers have increased their adoption of EMV card technologies.

Big Data Security

  • “When Big Data is a Big Headache,” by Darren Watkins in ITProPortal: Malicious attacks on IT systems are becoming more complex and, unfortunately, companies that work with big data face these issues daily. A lack of data security can lead to great financial losses and reputational damage for a company, and, as far as big data is concerned, losses due to poor IT security can exceed even the worst expectations.

Risk & Compliance

  • “London and Berlin are Most Exposed Cities in Europe,” by Phil Muncaster in InfoSecurity: London and Berlin have emerged as the two European cities most exposed to potential cyber-attacks, according to a new study from Trend Micro. It found 2.8 million exposed cyber-assets in Berlin and 2.5 million in London. These assets include webcams, routers, printers, NAS devices, web and email servers.

CISO Concerns


What was your favorite data security story this week?

Michael Maloney is the Director of Analyst & Public Relations at Protegrity, a provider of enterprise data-centric security solutions.

Download our Latest GDPR Whitepapers


Subscribe Now