Security Lapse Exposes Cayman Islands-Based Investment Fund
- Someone discovered an improperly configured Microsoft Azure blob containing sensitive information of investment fund members.
- The details include names, addresses, number of shares, and even passport scans and online banking PINs.
- The fund’s IT team appears to be lacking the knowledge of how cloud systems work and the risks that arise from misconfigurations.
Sometimes, to expose the rule-bending rich, hacktivism is called for. Other times, they are exposing themselves via a database configuration error. The Register has an exclusive story on the latter, where a Cayman Islands-based investment fund has exposed its backups online after a configuration mistake on its Microsoft Azure blob cloud storage.
Essentially, anyone with the URL could casually access the storage and access all the juicy details about the fund members, investor communications, the value of the holdings, and more. Even online banking PINs, real addresses, and passport scans were included in the dataset.
The Register accessed samples of that data to confirm its validity after a tipster informed them of the blob and shared the URL. By that time, several sensitive internal documents were being indexed by search engines, so the situation was already out of control.
The media outlet informed the owner but initially received a puzzling disregard towards their notification, treating is a phishing attempt. Soon though, the agent realized what was going on and secured the data. As the person explained, the particular Azure blob was actually used for data backups and was set up by their IT vendor in Hong Kong.
From what appears to be the case, the fund and its in-house IT team had little to no idea about how Azure works or how the data was supposed to be protected from public access. They relied upon the Hong Kong IT provider to take care of everything, which they obviously failed in. That’s a $500 million investment fund with one of its backers being the “Rothschild & Co.” Surely, they should not have cheaped out on their internal IT and cybersecurity teams.
The case with investment funds based in tax havens like the Cayman Islands isn’t one of illegality (necessarily) but of lack of ethics. The country has even found itself added to the EU’s tax haven blacklist in February (although it was eventually removed in October), accused of fostering tax abuse, evasion, and money laundering practices. Investigative journalists have been murdered for attempting to unearth tax crimes of this kind, so it’s not like the exposed individuals don’t care about the publicity.