A cloud-based data storage repository used by business analytics software provider Birst was left unsecured resulting in data about financial services firm Capital One, among others, being exposed, it has been claimed.
Security company UpGuard said the AWS S3 bucket contained 50.4GB of technical data about a Birst appliance that was set up to be used in Capital One’s IT environment.
But a Capital One spokesperson denied that any of the company's information was exposed. UpGuard now appears to have taken down its blog post based on which this report was written. The company has been contacted for an explanation.
The unsecured S3 bucket was discovered by UpGuard's Cyber Risk research director Chris Vickery. It resided at the subdomain capitalone-appliance and was configured for public access.
UpGuard said the exposed data included administrative access credentials, passwords, and private keys for use in Capital One systems by an on-premise Birst cloud environment.
{loadposition sam08}The Capital One spokesperson said: "This was simply an instance of a vendor’s software that was hosted in their cloud environment. The referenced passwords and credentials are generic and are used for installing this software," the spokesperson claimed.
"As a matter of standard practice, Capital One changes all default settings, including credentials, prior to deploying third-party software. Because of this, there is no impact to the security of Capital One systems and data."
UpGuard's blog post said: "Birst’s appliances provide security advantages that would normally protect against precisely this kind of cloud leak; by entirely cutting the on-premise Birst cloud environment off from access to the wider Internet, security misconfigurations resulting in the exposure of critical information would not be possible.
"Copying that same data, however, to an Amazon S3 bucket that can be accessed by anyone entering a URL — and storing in that bucket not just the encrypted appliance, but the key needed to decrypt the data — enables precisely this kind of cloud leak to occur."
However, UpGuard also pointed out that one would first need to breach the systems at Capital One in order to use the data that was exposed.
" In itself, this cloud leak does not expose the private information stored in those other systems," the security firm said.
"Rather, this leak multiplies the effect of any successful attack– whether through phishing, malware, social engineering, or insider threat- to a potentially catastrophic scale."
In the past, UpGuard has found data from an insurance firm exposed in an unsecured NAS device. It has also found misconfigured Amazon Web Services S3 buckets leaking data from Paris-based brand marketing company Octoly, California data analytics firm Alteryx, credit repair service National Credit Federation, the NSA, the Pentagon, global corporate consulting and management firm Accenture, publisher Dow Jones, a Chicago voter database, a North Carolina security firm, and a contractor for the US National Republican Committee.