Meeting and Hotel Booking Provider's Data Found in Public Amazon S3 Bucket (threatpost.com) 37
Leaks of personal and business information from unsecured Amazon S3 buckets are piling up. From a report: The latest belongs to Groupize, a Boston-area business that sells tools to manage small group meetings as well as a booking engine that handles hotel room-block reservations. Researchers at Kromtech Security found a publicly accessible bucket containing business and personal data, including contracts and agreements between hotels, customers and Groupize, Kromtech said. The data included some credit card payment authorization forms that contained full payment card information including expiration data and CVV code. The researchers said the database stored in S3 contained numerous folders, below; one called "documents" held close to 3,000 scanned contracts and agreements, while another called all_leads had more than 3,100 spreadsheets containing critical Groupize business data including earnings. There were 37 other folders in the bucket containing tens of thousands of files, most of them storing much more benign data.
Internet usage needs to be licensed. (Score:3)
Not just that, but a license to manage every server you manage and/or create. It sure would cut down on stuff like this and IoT issues.
(Except that I'm certain that MSFT would use that as a technique for not licensing OSX and Linux users.)
Re: (Score:1)
Internet usage needs to be licensed.
Well, start with the easy things - there are rules for PCIDSS compliance to accept credit cards.
Is someone paying a big fine?
LOL. Of course not...
Re: (Score:2)
PCIDSS is a contractural requirement required by the credit card companies in order to accept payments. It's not a law enforced by government, such as HIPAA. So no, there could never be a fine for a breach. I guess it's possible that there may be a penalty fee specified in the contract, but that's different than a legal fine. Mostly, you just lose your ability to take credit card payments which would sink many businesses.
Nazi Germany has control of the newspapers and (Score:1)
Nazi Germany has control of the newspapers and Goebbels supervised more than 3,600 newspapers and hundreds of magazines. He met the editors of the Berlin newspapers each morning and told them what could be printed and what could not.
making it licensed will lead to a lot of 1st amendment issues.
Re: (Score:2)
"making it licensed will lead to a lot of 1st amendment issues."
Not even, you're still free to speak publicly anywhere else. You need a license in order to travel on specific roads despite the freedom to wander (You need a proper vehicular license and vehicle to go on highways) so why not need a license to get on the information superhighway?
It would cut down on a huge chunk of stupidity on the internet, as well.
Re: (Score:2)
You need a license in order to travel on specific roads despite the freedom to wander (You need a proper vehicular license and vehicle to go on highways) so why not need a license to get on the information superhighway?
Exactly. Of course, the reactions after Charlottesville makes pretty clear that revoking such licenses would be a pretty powerful way to silence people you disagree with.
Whatever happened to "Fight Hate Speech with More Speech"?
Re: (Score:2)
More people out in the streets instead of on the internet would be far more effective speech. Driving them to that is a perfectly usable method.
Re: (Score:1)
Or we just let it run its course and it will be self-sanitizing.. The ones that screw up in this way will just go out of existence, or at least pay the cost for it..
The only thing that should be regulated, if anything, should be that for every CC or personal information (Not name, more in the line of ssn, postal address etc) they leak they should be forced to pay $500 to the person they leaked information about....
It would result in:
1. Companies would improve security where they save customer data.
2. Compan
Re: (Score:2)
Just impose heavy fines for people who are this grossly negligent. In the UK there is something called the Information Commissioner's Office, which can and does fine companies for this kind of mis-handling of sensitive, personal data.
Not very good at English either (Score:1)
Re:Not very good at English either (Score:4, Funny)
Sir, I'm going to need you to repeat your words as a syngerized statement.
Re: (Score:2, Funny)
It's ok the small meetings have been synergized, so the needful has been done.
Not S3's fault... (Score:2)
This is no where near the vendors fault, this is 100% end-user error.
AWS sent an email to us a while ago alerting us to a single bucket (of many) still in use, for an old client running "legacy" code, having public read/write.
Within 5 minutes of reading the email, which was not requested, the permissions were fixed.
Re: (Score:2)
Part of it is an attitude I've seen with a number of smaller companies is the "lets get this on AWS no matter what." Part of it is that they feel that with no physical operators coupled with a "results oriented" DevOps process, they can completely toss all IT people, except for 1-2 coders present, with the other devs are offshored. Their idea of production is a testing environment after their unit tests, or perhaps after their push into Git.
Of course, this starts to show when stuff like this happens. Did
Re: (Score:2)
What about your sharp kitchen knives, do you have to enter an access code before using the blade or do you just go for it?
My sharp kitchen knives came in a knife block the prevents me from accidentally grabbing the blade. It has handles that protect my hand. If someone sold a knife that had the blade going the full length to where the user was expected to hold it, then they'd be unpopular. Most devices come with basic safety designs and are safe in their normal and intended mode of use.
Re: (Score:2)
S3 buckets ARE secure by default. You have to specifically and intentionally open them to the public if your use case requires it. You would know this if you'd used S3 or if, lords of Kobol forbid, you'd bothered to read the article. And using S3 in this case is fairly derpy anyway. Even though it's default private, and can certainly hold encrypted objects; it's primarily intended for data that would be shared with the public. That's why it's so dead-simple to set as the origin for a CloudFront or prett
dont blame s3 (Score:2)
Securing a bucket in S3 is not rocket science.... If the company doesn't know how to they should really hire someone to do it.
How did they even pass a PCI audit with that information?
Re: (Score:1)
What is missing here... (Score:2)
What we are missing is the list of hotels that use these guys. Don't need to list all of them, just the big ones. Get enough media attention on big hotel names not keeping personal informantion secure and they will start paying attention.
It doesn't absolve them of their duties just because they hired a 3rd party. Maybe companies hiring out will pay more attention to details and operations after a few of these hit the news.
Just listing the party that screwed up means it goes away and another just like it f
Re: (Score:2)
If a bank hires a third party security service and the vault gets robbed, the blame will rest with the bank. Same thing. Just by offshoring to the lowest bidder doesn't mean that one's responsibilities are taken care of.