Cloud Insecurity: Huge data breach shows a fundamental misunderstanding about protecting data stored in a Cloud

Researchers at vpnMentor have discovered an unprotected database on a Microsoft Cloud server that contains the personal information of ~80 million US households, including sensitive information like income and marital status. However, the team who found the information could not determine who owns or operates the insecure database.

 

Large breach of household-level data

The 24 GB database is believed to be one of the largest – if not the largest – breaches of household level data. The fields contain information on each person in the household, including

• Marital status
• Income
• Full name
• Data of birth
• Age
• Gender
• Latitude and longitude of the physical address
• Type of structure

Since the data relates to households that have multiple members, the number of individuals impacted could easily run into the hundreds of millions of US residents.

vpnMentor describes the data as a “goldmine” for identity thieves and malicious attackers, especially those hackers who rely on ransomware. “The only way to remove ransomware is by paying a fee – and with access to your income information, attackers know how much they can demand of you,” notes vpnMentor in the blog announcing the discovery.

Conclusions from the McAfee report.

This latest breach reinforces findings from McAfee’s 2018 report on cloud security that found an average of 2,200 security incidents per month are a direct result of misconfigured cloud services according to the 1,400 global IT professionals who participated in the study.

McAfee claims the root cause is often a lack of skilled cloud security team members and a continued reliance on manual processes – mirroring the same issues faced by teams deploying apps on-prem.  But, there is a more basic reason, according to one industry expert.

Goldmine for malicious attackers

“A lot of companies feel they have less responsibility for security once they move to the cloud, and that vendors will be accountable. That’s not the case,” according to Dannie Combs, chief information security officer at Donnelley Financial Solutions Inc., of Chicago in a Wall Street Journal interview.

What do you need for comprehensive protection?

You may also need additional tools and managed solutions to provide the comprehensive cloud data protection you want and your customers expect. While major cloud hosts do make some security tools available, it’s still your responsibility to apply them and monitor their effectiveness.

That’s understandable since many executives have the mistaken impression that once you move to a cloud environment, the burden for application and cloud data protection is built-in to the services you have purchased.

Clearnetwork reduces the burden on overworked and understaffed IT teams. We lower risks and costs so you can focus on protecting your business.