Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Technology

Meeting and Hotel Booking Provider's Data Found in Public Amazon S3 Bucket (threatpost.com) 37

Leaks of personal and business information from unsecured Amazon S3 buckets are piling up. From a report: The latest belongs to Groupize, a Boston-area business that sells tools to manage small group meetings as well as a booking engine that handles hotel room-block reservations. Researchers at Kromtech Security found a publicly accessible bucket containing business and personal data, including contracts and agreements between hotels, customers and Groupize, Kromtech said. The data included some credit card payment authorization forms that contained full payment card information including expiration data and CVV code. The researchers said the database stored in S3 contained numerous folders, below; one called "documents" held close to 3,000 scanned contracts and agreements, while another called all_leads had more than 3,100 spreadsheets containing critical Groupize business data including earnings. There were 37 other folders in the bucket containing tens of thousands of files, most of them storing much more benign data.
This discussion has been archived. No new comments can be posted.

Meeting and Hotel Booking Provider's Data Found in Public Amazon S3 Bucket

Comments Filter:
  • by Nutria ( 679911 ) on Monday August 21, 2017 @02:39PM (#55058759)

    Not just that, but a license to manage every server you manage and/or create. It sure would cut down on stuff like this and IoT issues.

    (Except that I'm certain that MSFT would use that as a technique for not licensing OSX and Linux users.)

    • by Anonymous Coward

      Internet usage needs to be licensed.

      Well, start with the easy things - there are rules for PCIDSS compliance to accept credit cards.

      Is someone paying a big fine?

      LOL. Of course not...

      • PCIDSS is a contractural requirement required by the credit card companies in order to accept payments. It's not a law enforced by government, such as HIPAA. So no, there could never be a fine for a breach. I guess it's possible that there may be a penalty fee specified in the contract, but that's different than a legal fine. Mostly, you just lose your ability to take credit card payments which would sink many businesses.

    • Nazi Germany has control of the newspapers and Goebbels supervised more than 3,600 newspapers and hundreds of magazines. He met the editors of the Berlin newspapers each morning and told them what could be printed and what could not.

      making it licensed will lead to a lot of 1st amendment issues.

      • by Khyber ( 864651 )

        "making it licensed will lead to a lot of 1st amendment issues."

        Not even, you're still free to speak publicly anywhere else. You need a license in order to travel on specific roads despite the freedom to wander (You need a proper vehicular license and vehicle to go on highways) so why not need a license to get on the information superhighway?

        It would cut down on a huge chunk of stupidity on the internet, as well.

        • by Nutria ( 679911 )

          You need a license in order to travel on specific roads despite the freedom to wander (You need a proper vehicular license and vehicle to go on highways) so why not need a license to get on the information superhighway?

          Exactly. Of course, the reactions after Charlottesville makes pretty clear that revoking such licenses would be a pretty powerful way to silence people you disagree with.

          Whatever happened to "Fight Hate Speech with More Speech"?

          • by Khyber ( 864651 )

            More people out in the streets instead of on the internet would be far more effective speech. Driving them to that is a perfectly usable method.

        • by Anonymous Coward

          Or we just let it run its course and it will be self-sanitizing.. The ones that screw up in this way will just go out of existence, or at least pay the cost for it..

          The only thing that should be regulated, if anything, should be that for every CC or personal information (Not name, more in the line of ssn, postal address etc) they leak they should be forced to pay $500 to the person they leaked information about....
          It would result in:
          1. Companies would improve security where they save customer data.
          2. Compan

    • by AmiMoJo ( 196126 )

      Just impose heavy fines for people who are this grossly negligent. In the UK there is something called the Information Commissioner's Office, which can and does fine companies for this kind of mis-handling of sensitive, personal data.

  • by Anonymous Coward
    Not very good at English either. In many places on their website, the Groupize trumpets that they can "Reign in your small meetings spend." One presumes they mean "Rein in" and perhaps "cost of small meetings."
  • This is no where near the vendors fault, this is 100% end-user error.

    AWS sent an email to us a while ago alerting us to a single bucket (of many) still in use, for an old client running "legacy" code, having public read/write.

    Within 5 minutes of reading the email, which was not requested, the permissions were fixed.

    • Part of it is an attitude I've seen with a number of smaller companies is the "lets get this on AWS no matter what." Part of it is that they feel that with no physical operators coupled with a "results oriented" DevOps process, they can completely toss all IT people, except for 1-2 coders present, with the other devs are offshored. Their idea of production is a testing environment after their unit tests, or perhaps after their push into Git.

      Of course, this starts to show when stuff like this happens. Did

  • Securing a bucket in S3 is not rocket science.... If the company doesn't know how to they should really hire someone to do it.

    How did they even pass a PCI audit with that information?

  • What we are missing is the list of hotels that use these guys. Don't need to list all of them, just the big ones. Get enough media attention on big hotel names not keeping personal informantion secure and they will start paying attention.

    It doesn't absolve them of their duties just because they hired a 3rd party. Maybe companies hiring out will pay more attention to details and operations after a few of these hit the news.

    Just listing the party that screwed up means it goes away and another just like it f

    • If a bank hires a third party security service and the vault gets robbed, the blame will rest with the bank. Same thing. Just by offshoring to the lowest bidder doesn't mean that one's responsibilities are taken care of.

Brain off-line, please wait.

Working...