A proprietary watchlist of 2.4M risky individuals and corporate entities owned by Dow Jones has been exposed, after a third-party company with access left it on an AWS-hosted Elasticsearch database without a password. The indexed, tagged and searchable list includes current and former politicians, citizens with alleged criminal histories and possible terrorist links, and companies under sanctions or convicted of high-profile financial crimes. The exposed records include names, addresses, locations, dates of birth, genders, whether they are deceased or not, and in some cases, photographs.
Experts Comments below:
Chris DeRamus, CTO and Co-founder at DivvyCloud:
“This security lapse from the Dow adds to a growing list of organizations in 2019 that have left Elasticsearch servers unprotected, therefore exposing massive quantities of proprietary data. Dow Jones suffered a similar cloud storage misconfiguration two years ago that exposed the information of 2.2 million customers. It’s concerning that with this new exposure, Dow Jones clearly did not take proper steps to strengthen its security posture. Organizations must realize the importance of balancing their use of the public cloud, containers, hybrid infrastructure and more with proper security controls. Automated cloud security solutions that provide the automation essential to enforce policy, reduce risk, provide governance, impose compliance and increase security across large-scale hybrid cloud infrastructure are a must for the massive stock market index, as well as any major enterprise.”
Carl Wright, CCO at AttackIQ:
“This data breach is particularly egregious for both the lack of very basic protection — a password — and the extremely high degree of sensitivity of the data. There may be people on the list that are innocent, and the risky individuals are now aware they are on the list and can change their tactics to avoid detection in the future. Such leaks are often caused by gaps in security programs that can be easily detected and prevented. Organizations must take proactive approaches to protect their data through continuous evaluation of their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses. And as evidenced by this incident, testing must extend to an organization’s third-party partners as well.”
Anurag Kahol, CTO and Founder at Bitglass:
“Dow Jones’ exposed database contained sensitive details on current and former politicians, alleged and convicted criminals, citizens with possible terrorist links, companies facing sanctions, and organizations convicted of high-profile crimes. Leaving this information unprotected is both careless and irresponsible – as is failing to address the issue in detail with the public. While all organizations need to defend their data, Dow Jones, in particular, must adhere to the highest of security standards – the type of information that they collect, store, and share demands it.
Even though AWS provides some native security and compliance functionality, the onus is on the enterprise to secure access to the data that is being stored within the platform. At the most basic level, this requires the use of a password (although this alone is not sufficient for cybersecurity). As more and more organizations move to the cloud, advanced, cloud-specific security controls must be put in place in order to secure data as it travels across third party services, organizations, and devices. One effective solution for accomplishing this involves using a cloud access security broker (CASB) to protect data wherever it goes.
Robert Prigge, President at Jumio:
“The lists of politically exposed persons, terrorists and convicted cybercriminals are compiled and curated from a variety of third-party databases. These lists are then used by a variety of companies including Dow Jones, Thomson Reuters (now Refinitiv), and ComplyAdvantage so the actual exposure of 2.4 million records of high-risk individuals and business entities may not be as critical or earth-shattering as other breaches involving less visible end-consumers and where usernames, passwords and other personal information is compromised.
Data breaches such as Equifax, Marriott/Starwood and Quora are far more damaging because this data usually ends up on the dark web where it can be bought and sold and aggregated with other personal information to perpetrate identity theft. Since these watchlists contain the names of politicians (politically exposed persons) and known criminals (sanctions lists) the impact may be less, depending on how much personal data was exposed. That’s not to say that this data won’t creep into the dark web — it probably will — but the impact to the Average Joe will probably be less.”