Report: Cybersecurity Firm’s Data Exposed, Among Others
The vpnMentor cybersecurity research team, led by Noam Rotem and Ran Locar, have uncovered an unsecured AWS S3 bucket with over 5.5 million files and more than 343GB in size that remains unclaimed.
Timeline of Discovery and Owner Reaction
Sometimes the extent of a data breach and the owner of the data are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s exposing the data.
Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research or playing down its impact. So, we need to be thorough and make sure everything we find is correct and true.
In this case, after a few days of research, we identified the possibility that the data belongs to InMotionNow, and subsequently contacted the company with our findings. Although the unsecured S3 bucket is now closed, no one from the company ever responded to our attempts to reach out, so we are unable to confirm the ownership.
- Date discovered: December 20, 2019
- Date InMotionNow (assumed owner of the data) notified: December 26, 2019
- Date Amazon notified: December 29, 2019, January 7, 2020, and January 30, 2020
- Date bucket was closed: February 17, 2020
- Date other companies notified: March 16, 2020
In this particular case, our research team was not able to verify without a shadow of a doubt who, exactly, owns the exposed data. For this reason, we have decided that it’s crucial to let the general public know whose data and which data was made vulnerable by the lack of standard cybersecurity procedures.
Our research led us to assume that InMotionNow owns the data. We reached out to them and no one replied, and there was no clear indication in the exposed bucket that it was theirs. With this in mind, we are including all companies whose data was found in the bucket. If it does in fact belong to InMotionNow, they’ll know who’s exposing the data, and if it doesn’t, the companies will be able to investigate further themselves. Our team has reached out to these companies on March 16, 2020, as well.
InMotionNow is a project management software company started in 1999 and headquartered near Raleigh, North Carolina. They boast FDA-compliant security standards, aimed at the verticals of their target customers.
Included here is a non-exhaustive list of the companies whose marketing material was found in the unsecured S3 bucket:
Cybersecurity firm ISC2.org had multiple data included in this breach as well.
Insurance company Brotherhood Mutual, which serves primarily religious institutions across the United States.
Universities, such as Kent State in Ohio and Purdue in Indiana, also had a plethora of files and information contained within the S3 bucket.
Potawatomi Hotel & Casino in Milwaukee, Wisconsin.
Consumer electronics company, Zagg (ZAGG), which designs and produces mobile accessories.
Non-profit organization, the Freedom Forum Institute, which fosters U.S. First Amendment freedoms for all.
Organizations affected by a variety of health industry regulations were found. They include, but may not be limited to:
Myriad Genetics (MYGN) - Genetic and disease testing company.
Performance Health - Physical Therapy equipment and supplies provider.
Examples of Data Entries
Here’s the list of data that our research team found and was able to identify:
- Analytics reports
- Internal presentations, including:
- Company strategy
- Annual revenue amounts
- Current customer count
- Training materials
- Internal client requests, including:
- Requester name
- Project name and details
- Marketing strategies and collateral
- Product labels
- Business intelligence
- Mailing lists with relevant PII
University donor lists, including:
- Full names
- Personal and work emails
- Direct phone numbers
- Credentials (degree, school, year)
- Amount donated
These are the countries where we found customers included in the data breach, but we did not open each file and it is possible that there are more clients in additional countries that were impacted.
- United States of America
Data Breach Impact
The items contained this data breach often hold private and/or confidential information within. The promise of secure facilities and systems are key selling points for clients such as the military and its supply chain - and the breach of that guarantee is not only a failure in service, but also potentially holds a security risk along with it.
Knowing the full name, birthdate, and, yes, even the incarceration record of an individual can provide criminals with enough information to steal that person’s identity.
Identity theft does not always mean that the thief will claim that they are a particular individual in real life; it also allows them to engage in credit fraud, drain your bank account, and engage in scams against family, friends, and other associates of the identity theft victim.
Anyone with access to the countless copyrighted documents contained within this S3 bucket could easily download them without having to pay for their contents and also illegally upload them to a torrent network, available for free to all.
The fusion of corporate branding resources and directory of contacts simplifies the task for those harboring harmful intentions to perpetrate fraudulent acts. There's potential for the creation of counterfeit university degrees, and exploiting proprietary information to deceptively establish unwarranted credibility.
Full unencrypted logins for administrators seem to have been made available in this breach. The loss of control over this access could lead to cybercriminals taking over accounts and obtaining otherwise confidential information about stores, employees, and customers.
Advice from the Experts
The company that owns this bucket could have easily avoided this data breach if it had taken some basic security measures to protect the S3 bucket. These include, but are not limited to:
- Secure your servers.
- Implement proper access rules.
- Never leave a system that doesn’t require authentication open to the internet.
Any company can replicate the same steps, no matter its size. For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.
Securing an Open S3 Bucket
It’s important to note that open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.
In the case of this unsecured S3 bucket, the quickest way to fix this error would be to:
- Make the bucket private and add authentication protocols.
- Follow AWS access and authentication best practices.
- Add more layers of protection to the S3 bucket to further restrict who can access it from every point of entry.
For those affected by the data breach
If you think you may have your personal or corporate information on this unsecured S3 bucket - and are concerned about how this breach might impact you or other data vulnerabilities in general, read our complete guide to online privacy to help better protect yourself online in the future. It shows you the many ways cyber criminals target internet users, and the steps you can take to stay safe.
You can also use a VPN to hide some of the data collected by the owner of this bucket. A VPN will mask your IP address and country of residence, giving you an added layer of protection even if your data is exposed.
How and Why We Discovered the Breach
The vpnMentor research team discovered the misconfigured bucket as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test open holes in systems for weaknesses. They examine each hole for data being leaked.
When they find a data breach, they use expert techniques to verify the identity of the S3 bucket's owner. We then alert the company to the breach. If possible, we will also alert those affected by the breach.
We were able to access the S3 bucket because it was completely unsecured and unencrypted. Using a web browser, the team could access all files hosted on the bucket.
The purpose of this web mapping project is to help make the internet safer for all users. As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security.
However, these ethics also mean we also carry a responsibility to the public. This is especially true when the company's data breach contains such a huge amount of private and sensitive information.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
In the past, we’ve discovered a breach in LightInTheBox that compromised the data of its customers. We also recently revealed that a company owned by major hotel chain AccorHotels exposed over 1TB of guests’ data. You may also want to read our VPN Leak Report and Data Privacy Stats Report.