Dow Jones customer data exposed due to cloud misconfiguration

US-based publishing and financial information firm Dow Jones & Company is the latest casualty of a cloud database misconfiguration error.

In late May, UpGuard’s Chris Vickery discovered an Amazon S3 cloud-based data repository accessible to AWS authenticated users under the subdomain “dj-skynet.” Further analysis tied the bucket to Dow Jones.

“The exposed data repository (…) had been configured via permission settings to allow any AWS ‘Authenticated Users’ to download the data via the repository’s URL. Per Amazon’s own definition, an ‘authenticated user’ is ‘any user that has an Amazon AWS account,’ a base that already numbers over a million users; registration for such an account is free,” UpGuard analyst Dan O’Sullivan explained.

Exposed data and potential malicious use

The repository contained sensitive information of millions of Dow Jones customers – Dow Jones says 2.2 million, but UpGuard believes that that number is closer to 4 million.

The information includes customer names, internal Dow Jones customer IDs, home and business addresses, and account details, as well as occasionally phone numbers and customer email addresses.

“Also stored in the main repository is a folder titled ‘rnc_watchlist.’ While the Dow Jones Risk and Compliance Watchlist was also the name of a previously offered product, this folder title may reference data of more recent and ongoing relevance to Dow Jones’s suite of anti-corruption databases,” O’Sullivan noted.

“Within this folder are 21 schema files, explaining various field names for the data set, as well as a .csv title also named djrc_ac_csv_201603312359_f. This .csv file lists 1.6 million rows of people or entities, along with any associated aliases, organizations, and businesses, as well as the subject’s background and personal history. The list includes a great many financial industry personnel located around the world, as well as many more well-known parties of ill-repute.”

UpGuard has notified Dow Jones of their discovery, and the repository was secured on June 6th. It is unknown whether anyone else accessed the exposed information – Dow Jones says they have no evidence that the exposed information was accessed or exfiltrated by anyone else.

“With a list of four million subscribers to Dow Jones publications, it is not hard to see how malicious actors could deploy phishing messages against exposed customers. Sending official-looking emails purporting to be from The Wall Street Journal notifying customers their subscription had lapsed, or that their accounts had been compromised, malicious actors could have succeeded in convincing such high-value targets to supply credit card information, login credentials, or more,” O’Sullivan pointed out.

“While it is a relief that only the last four digits of customer credit cards were exposed in the breach, even this data could potentially be used to damaging effect. A vulnerability discovered in 2015 allowed anyone in possession of the last 4 digits of a Chase or Bank of America CC number to, in combination with the victim’s phone number, gain control of the account.”

A serious issue arising as public cloud adoption is skyrocketing

Bitglass CEO Rich Campagna says this was yet another demonstration of how services such as AWS are missing basic steps that ensure their data and services are configured in a secure fashion.

“It’s seems like a no-brainer to implement data-centric security tools on any sensitive information that could get out to the public,” he noted. “This approach could ensure that cloud services deny unauthorized access, and organizations could take it one step further and encrypt sensitive data at rest. Companies like Dow Jones, Verizon and anyone else using the public cloud for their infrastructure can easily enforce policies that require internal teams and third-parties to adequately protect any customer data that touches the cloud.”​

Dome9 CEO Zohar Alon says on of the problems leading to such data exposures is that enterprises are facing a skills shortage, and that often leads to engineers and admin managing multiple services simultaneously, and having to understand the intricate languages of each.

“Whether it’s Google, Microsoft or Amazon, each requires a specific skillset and configuration to ensure sensitive information is not exposed,” he pointed out. “Dow Jones, Verizon, the WWE, the U.S. voter records and Scottrade leaks each were a result of human error and could have easily been mitigated with proper controls and checks in place.”