Security Lapse Exposes Cayman Islands-Based Investment Fund

  • Someone discovered an improperly configured Microsoft Azure blob containing sensitive information of investment fund members.
  • The details include names, addresses, number of shares, and even passport scans and online banking PINs.
  • The fund’s IT team appears to be lacking the knowledge of how cloud systems work and the risks that arise from misconfigurations.

Sometimes, to expose the rule-bending rich, hacktivism is called for. Other times, they are exposing themselves via a database configuration error. The Register has an exclusive story on the latter, where a Cayman Islands-based investment fund has exposed its backups online after a configuration mistake on its Microsoft Azure blob cloud storage.

Essentially, anyone with the URL could casually access the storage and access all the juicy details about the fund members, investor communications, the value of the holdings, and more. Even online banking PINs, real addresses, and passport scans were included in the dataset.

Source: The Register

The Register accessed samples of that data to confirm its validity after a tipster informed them of the blob and shared the URL. By that time, several sensitive internal documents were being indexed by search engines, so the situation was already out of control.

Source: The Register

The media outlet informed the owner but initially received a puzzling disregard towards their notification, treating is a phishing attempt. Soon though, the agent realized what was going on and secured the data. As the person explained, the particular Azure blob was actually used for data backups and was set up by their IT vendor in Hong Kong.

Source: The Register

From what appears to be the case, the fund and its in-house IT team had little to no idea about how Azure works or how the data was supposed to be protected from public access. They relied upon the Hong Kong IT provider to take care of everything, which they obviously failed in. That’s a $500 million investment fund with one of its backers being the “Rothschild & Co.” Surely, they should not have cheaped out on their internal IT and cybersecurity teams.

The case with investment funds based in tax havens like the Cayman Islands isn’t one of illegality (necessarily) but of lack of ethics. The country has even found itself added to the EU’s tax haven blacklist in February (although it was eventually removed in October), accused of fostering tax abuse, evasion, and money laundering practices. Investigative journalists have been murdered for attempting to unearth tax crimes of this kind, so it’s not like the exposed individuals don’t care about the publicity.

REVIEW OVERVIEW

Latest

Apple TV+ One-Year Free Trials Extended Until July 2021

Buyers of Apple TV devices have just gotten a second Apple TV+ subscription extension.This adds up to another nine full months of...

The Scottish Environment Protection Agency Was Hit by Ransomware

The Scottish Environment Protection Agency (SEPA) was compromised by the Conti group almost a month ago.The ransomware gang is now leaking part...

Discovery Plus Keeps Crashing: Here’s How to Fix It

Discovery Plus has been out for over a week now and users are reporting various issues they have with the service. One...