Unprotected Server Contains Sensitive Data From Various Firms

• A leaky bucket that contained data belonging to a large number of firms remained online for months.
• The researchers who discovered it believe it belongs to a business management software company.
• The implications of having these particular data types exposed online are pretty dire.

Now and then, researchers stumble upon an unprotected server that doesn’t clearly belong to someone. VpnMentor’s duo N. Rotem and R. Locar report exactly such a case, having found an unsecured AWS S3 bucket that has a mix of sensitive data that seems to belong to various companies.

The server hosts 5.5 million totaling 343GB in size, and due to the type of data, the researchers were led to believe that this was an aggregation of a cybersecurity company.

The bucket was discovered on December 20, 2019, and after some digging, Rotem and Locar assumed that the owner must be ‘InMotionNow.’ They contacted the firm six days after the initial discovery of the unprotected server but never heard back. They then knocked to Amazon thrice, with the last time being on January 30, 2020.

Eventually, and without ever getting any response or confirmation of who owns the bucket, the server was secured on February 17, 2020. Finally, the researchers decided that it would be wise to inform all of the exposed companies that had data in that bucket, and so they did on March 16, 2020.

According to the report’s details, ‘InMotionNow,’ which is a business management consultant who offers software solutions, may have exposed the data by mistake.

The companies that had data in the leaking bucket include the following:

• ISC2.org (infosec)
• Brotherhood Mutual (insurance)
• Kent State University
• Purdue University
• Potawatomi Hotel & Casino
• Zagg (consumer electronics)
• Freedom Forum Institute (a non-profit organization)
• Myriad Genetics (DNA testing)
• Performance Health (physical therapy equipment)

Due to the different entities in the bucket, there’s a wide range of data types to be found, from financial analytics reports and internal presentations to donor lists and business intelligence folders, mailing lists with PIIs, phone numbers, full names, and more. In general, the companies that have been affected by this incident are based in the United States and France.

The consequences of this data breach include the “typical” identity theft, phishing, scamming, and fraud risks. In addition to these, there are also corporate espionage perils since the databases contained login credentials in plain-text form. With the bucket staying online and accessible for such an extensive period, hackers may be already roaming in the compromised entities’ corporate networks by using data found in the bucket.

As for the server owner, InMotionNow is very likely to be the culprit, but this was never confirmed. The company hasn’t denied any involvement with the incident, so the crucial ownership detail was left hanging all these months.