Data Centre


Australian Broadcasting Corporation leaks passwords, video from AWS S3 bucket

'Advance video content' and years of backups dangled in the cloud

By Simon Sharwood


The Australian Broadcasting Corporation (ABC) has joined the long list of organisations to leak sensitive data from a poorly secured public-facing Amazon Web Services S3 bucket.

Security outfit Kromtech's chief communications officer Bob Diachenko on Thursday revealed today that the company “identified a trove of data that is connected with ABC Commercial” including “production services and stock files that should not have been publicly available online.”

ABC Commercial is the government-funded broadcaster's wing dedicated to licensing, selling merchandise related to its programs, events and content marketing. It's intended to be a money-maker for the ABC.

Kromtech said the trove included “1,800 daily MySQL database backups from 2015 to present”. Those backups and other data in the buckets included:

Worse still, the un-secured buckets were detected in that state a week after AWS issued advice on how to secure S3 buckets.

Diachenko said Kromtech was able to reach ABC IT personnel and that the buckets were secured within minutes of notification about problems.

A person familiar with the ABC’s IT operations and politics told The Register this mess will likely be a boost to an old guard in its IT team that prefers on-premises infrastructure and defence-in-depth security strategies. That faction is likely to encounter resistance from management that is known to be keen on doing more in the cloud.

An ABC spokesperson told The Register the organisation "can confirm it is investigating a data breach but has no further comment to make at this stage." We've asked the organisation further questions about how and when it responded to the breach and will update this story if we learn more. ®

UPDATE: 12:15, Friday November 17th. The ABC " has confirmed that it was notified of a data exposure on 16 November. ABC technology teams moved to solve this issue as soon as they became aware."

Sign up to our NewsletterGet IT in your inbox daily

Post a comment

More from The Register

Australia on the cusp of showing the world how to break encryption

You just pass a law, apparently

Xen 4.11 debuts new ‘PVH’ guest type, for the sake of security

Take some paravirtualization, add hardware extensions and – voila – QEMU flies away

Australia, US and Japan want Huawei local submarine cable project

'Competition' and 'alternatives' offered to change Papua New Guinea government's mind

Xen Project patches Intel’s Lazy FPU flaw, VMware doesn't need to

UPDATE Guest register states are readable, but the patch cavalry has arrived

Australia, Solomon Islands to ink Huawei-free cable contract today

Spook-driven paranoia? No, it's just friendly competition, honest

Australia's 'snoop minister' wants crypto-busting law probe wound up, proposals back into parliament

Dutton busts out the ol' razzle-dazzle of terrorists, encrypted chat and hand-wringing

Xen 4.11 is over a month late and its devs are mostly cool with that

Hardware hassles mean rc7 was needed, spark discussion about release cadence

Countdown starts for new Xen hypervisor release

RC1 for Xen 4.10 is upon us, so get testing, hyper-hipsters

SEAL up your data just like Microsoft: Redmond open-sources 'simple' homomorphic encryption blueprints

How to work on encrypted data without having to decrypt it first

Citrix snuffs Xen and NetScaler brands

Arise, ‘Citrix Hypervisor’ and ‘ Citrix SD-WAN’