Yes, despite all the warnings and the numerous headlines from previous breaches – a poorly-secured Amazon Web Services S3 server has once again been the route through which sensitive data has been left for anyone to stumble across.
According to the Kromtech security researchers who found the publicly accessible data, the database belongs to MBM Company Inc, a Chicago-based jewelry company which is best known under its Limogés Jewelry brand, and may have been public since January 13 2018.
And, if security researchers were able to find the sensitive information online, there’s no reason to believe that determined criminal couldn’t have also struck gold.
There’s clearly a number of items of concern here, not least why on earth the company was storing plain text passwords in this day and age? But what caught my eye was some of the media coverage related to the security lapse.
Can you spot the common theme between these news reports?
That’s right. They’re all mentioning Walmart. But it wasn’t Walmart that messed up its security, it was Limogés Jewelry, or if you prefer MBM Company Inc.
Yes, Limogés Jewelry is sold through Walmart, but it’s also sold via other major retailers including Amazon, Sears, Kmart, Target, and countless online third-party stores. And the exposed database was found to contain database records connected with jewelry purchases from many other retailers besides just Walmart.
Many people won’t have heard of Limogés Jewelry, but they have heard of Walmart. And so that’s the name that news editors like to put into the headlines, which also means that it’s Walmart’s reputation and brand that ends up inevitably tarnished.
The fact is that your company most likely does business with many partners, suppliers, and other third parties – and you may have little visibility on how well they are securing themselves, or what they might be doing with the valuable data you are entrusting in them.
Before you entrust sensitive data to any third party, your company needs to be sure the partner can and will keep it safe from attack.
That assurance may come in several forms – such as demanding that prospective partners and suppliers complete a security assessment report, a contract that states explicitly the information security defences and practices they are required to have in place, as well as guarantees and indemnities.
Such standards are important, not only to prevent the accidental leaking of sensitive customer data, but also to prevent more deliberate attacks where hackers might exploit inadequate security measures at “trusted” parties in order to tunnel into businesses.
There’s good news and bad news for the more than 1.3 million purchasers of Limogés Jewelry.
Although the leak cannot be undone, the data held on the insecure Amazon S3 bucket is no longer accessible, thank goodness, and there is no evidence that a malicious third-party has accessed the information.
But the lack of evidence doesn’t mean that no unauthorised criminal parties accessed the cache of personal information and (may I remind you, with my head in my hands) plain text passwords of users while it was available. Also, in perhaps a worrying sign that it still isn’t taking security as seriously as it might, MBM Company has still not responded to the security researchers who informed them about their problem.
Not every company is going to care as much about security and privacy as your business. Choose your partners carefully, because at the end of the day your customers don’t really care that much about whether it was you or a third-party which was careless with their data. What they care about is that they entrusted their data with you.