Flexbooker, an appointment booking platform, faced a significant data breach where ten million lines of customer data, including hashed passwords, driver's licenses, and photos, were stolen due to an improperly configured AWS S3 bucket. This incident mirrors similar cases with companies like Uber and Capital One, emphasizing the recurring issue of AWS breaches stemming from misconfigurations rather than direct compromises of AWS itself.
The shared responsibility model underscores the importance of customers securing their deployed apps and services to prevent such breaches, as misconfigurations are a common source of cloud security issues.
In this article, we'll delve into the causes of some prominent AWS security breaches in recent years, shedding light on the lessons learned and emphasizing how enhanced security measures can effectively prevent similar incidents. Explore the world of AWS security as we analyze four actual violations, revealing important takeaways and preventative steps to secure your cloud environment successfully.
Analyzing AWS Security Breaches: Lessons Learned and Proactive Measures
Capital One
100 million clients are impacted by a misconfigured firewall. Primary financial services and bank Capital One disclosed in July 2019 that a former employee of Amazon had compromised its AWS servers.
The compromise affected over 100 million users, exposing sensitive personal details such as bank account numbers, credit scores, and Social Security numbers, showcasing the consequences of AWS misconfigurations on security.
Amazon has made it evident that neither AWS nor the underlying cloud services were affected. Instead, the hacker obtained access through an improperly configured open-source Web Application Firewall (WAF), as acknowledged by Capital One.
Capital One settled a class action lawsuit filed by customers, awarding up to $25,000 per claim. The plaintiffs claimed that Capital One "knew of the particular security vulnerabilities that permitted the data breach" but chose not to address them. Rather than expressing agreement or disagreement with the lawsuit, Capital One announced it would settle "in the interest of avoiding the time, expense, and uncertainty of continued litigation."
Pegasus Airlines
6.5 gigabytes of data exposed by an unsecured S3 bucket. Turkish carrier Pegasus Airlines found out that it had misconfigured an AWS S3 bucket in May 2022 thanks to the efforts of a security firm. Sensitive flight data, including navigational aids, flight charts, and multiple employees' personally identifying information, were all in the bucket.
The open S3 bucket also made some of the company's source code public, and it included secret keys and plain-text passwords that hackers could have used to obtain even more private information.
The security company discovered nearly 23 million vulnerable files or 6.5 gigabytes of data. They stated that "every Pegasus passenger and crew member worldwide could be affected by this exposure."
Following notice, the security company stated that Pegasus Airlines responded, thanking them for their notification. "The AWS S3 bucket was promptly secured," the security company said.
Twilio
An unsealed S3 bucket allows code injection attacks. Twilio's cloud communications startup announced in July 2020 that hackers had gained access to an incorrectly configured S3 bucket and altered the JavaScript SDK for TaskRouter.
Attackers took advantage of a mistake in the S3 bucket setup that housed the library for the TaskRouter JS SDK from Twilio (a utility that allows customers to route tasks). After the attack changed the library, browsers were forced to load an additional URL, which many subsequently connected to the notorious Magecart attacks.
In a disclosure, Twilio said they resolved the issue in fifteen minutes and changed the S3 bucket configuration an hour later. Furthermore, according to Twilio, the attackers could not access internal systems or client data.
"We had not properly configured the access policy for one of our AWS S3 buckets," Twilio stated openly and honestly. This specific approach was put into place by Twilio in 2015, and it was secure at the time. However, Twilio clarified that after diagnosing an issue, the business failed to "properly reset" permissions a few months later.
Uber
Insecure authentication exposed secret keys that allowed hackers to access 600,000 US driver records stored in AWS S3 data stores. Uber, a ride-sharing business, disclosed in November 2017 that, as early as 2016, hackers had obtained the personal data of over 50 million drivers and passengers and 600,000 US driver records, including license numbers.
Uber's GitHub repository was accessible to attackers due to the lack of multi-factor authentication by the company. Attackers could access Uber's AWS S3 data stores thanks to the critical AWS credentials in these repositories despite their lack of security.
Uber clarified that they have tightened security measures on their cloud-based storage accounts, shut off unauthorized access, persuaded the attackers to remove the data, and safeguarded it. Subsequent reports showed that Uber had paid the hackers $100,000 in exchange for their quiet and had passed off the original hack as a successful bug bounty.
Imperva
A database containing client email addresses and passwords is accessible to attackers using an exposed AWS API key. The cybersecurity company Imperva disclosed in October 2019 that hackers had used a misconfigured AWS server to steal customer data.
The CEO of Imperva revealed that hackers gained access to a database snapshot with passwords and email addresses by using an administrative API key discovered in one of the company's AWS accounts.
Imperva was open and honest about the errors that resulted in the AWS security breach, outlining the four main actions that eventually exposed client data:
- During their evaluation of AWS, Imperva generated a database snapshot for testing purposes.
- Even though an internal computing instance of Imperva included an AWS API key, it was publicly available.
- After breaking into the compute instance, the attackers took off with the AWS API key.
- The attacker accessed the database snapshot and all the data it contained using the AWS API key.
Since then, the business has implemented access audits and tightened security access controls, among other corrective measures.
3 Things To Know About AWS Data Breaches
To enhance the security of your company's AWS utilization, you can glean valuable insights from these security incidents, focusing on AWS Security best practices.
- Know your environment: Misconfiguration mistakes constitute a significant source of AWS breaches. There will be fewer potential misconfigurations that attackers can exploit the more thoroughly you audit and understand your environment.
- Empower your developers: They are the most qualified to identify and correct misconfiguration errors. Giving developers the resources and direction to create safe environments can help businesses prevent AWS breaches more effectively.
- Focus on prevention and secure design: If the impacted organizations had given secure methods more attention, many AWS breaches might have been avoided. Businesses can find flaws before attackers can by using techniques like Snyk's AWS vulnerability screening.
Conclusion
The significance of implementing preventive measures for AWS data breaches becomes apparent when examining instances of security incidents. Every breach, from Pegasus Airlines disclosing terabytes of private information to Capital One's improperly set firewall impacting millions, was linked to the same vulnerability. Misconfigurations are a recurrent theme, highlighting the shared accountability in cloud security. It's critical to prioritize prevention through safe design, empower developers with tools and support, and understand your environment to protect against such threats.