Dow Jones index – of customers, not prices – leaks from AWS repo

S3 bucket was set to authenticate all AWS users, not just Dow Jones users

Dow Jones has emulated Verizon by saving various internal databases (including Wall Street Journal subscribers) in the cloud without properly securing it.

The breach was turned up by UpGuard's Chris Vickery and is detailed in this post.

It's an all-too-familiar, straightforward breach: someone left a cloud repository configured to offer “semi-public access”, meaning “the sensitive personal and financial details of millions of the company’s customers” was exposed.

“While Dow Jones has confirmed that at least 2.2 million customers were affected, UpGuard calculations put the number closer to 4 million accounts,” the post adds.

The repo was an AWS S3 bucket with the wrong privacy settings: by configuring it to allow access to authenticated users, whoever set it up didn't seem to realise they were offering access to any authenticated AWS user - not just those with Dow Jones-associated accounts).

UpGuard says Chris Vickery discovered the breach at the end of May (in other words, he was working on the breach before UpGuard announced he'd joined them).

His analysis of the repo, called “dj-skynet” because even sysadmins for the quants have a sense of humour, and discovered a rich trove.

There's a customer file – the one the company reckons has upwards of 4 million records – that includes “customer names, internal Dow Jones customer IDs, home and business addresses, and account details, such as the promotional offer under which a customer signed up for a subscription”.

There's a risk and compliance database filled with dossiers of individuals, all the way from “a great many financial industry personnel located around the world” all the way to less salubrious characters. Below, from UpGuard's post, is an extract of what the database holds about late Libyan leader Muammar Gaddafi.

Dow Jones has confirmed the breach but has told outfits like The Hill it wasn't serious enough to warrant a customer announcement, since passwords and credit card numbers weren't leaked (only enough data to mount a phishing campaign, or help identity theft). Regarding the “risk and compliance” dossiers, it says the database included only public information.

News Corporation, Dow Jones parent company, has another cloudy cock-up to defend today: Australian pay TV operation Foxtel's streaming video service crashed when a wave of Game of Thrones fiends came in search of new episodes. ®


Biting the hand that feeds IT © 1998–2017