
Detailed Financial Histories Exposed for Thousands - giacaglia
https://www.upguard.com/breaches/credit-crunch-national-credit-federation
======
vannevar
The problem isn't that our data has become public; it's that businesses accept
data as identity. They mostly just mindlessly automated manual paperwork
processes that were slow, but also less efficient to defraud. By only looking
at costs, and not at risks, business has built our ecommerce infrastructure on
sand. The notion of identity as it relates to business transactions needs to
be reworked from the ground up.

~~~
volgo
The solution here is not technical - we already know the technical solution.
The solution is to introduce a cost to the risk.

Right now the "risk" has no cost - if you expose people's data there's not
that much consequence besides bad PR. We should assign some dollar value to
each person's identify leaked. That way, businesses can properly asses risk
and reward when they start these types of projects

Overtime, I think businesses would rather avoid the liability of storing
people's info in the first place

~~~
altharaz
This is exactly what will happen in Europe next year.

With the General Data Protection Regulation, any leak of private data caused
by a major cybersecurity gap in a company will lead to severe financial
sanctions such as a fine based on 4% of the company turnover.

This law will indeed give the risk a “cost” :).

~~~
closeparen
As I understand it, Europe does not generally suffer from the disease of banks
and courts accepting knowledge of basic demographic data as proof of identity.
GDPR is not really comparable to the mess of the US social security number
situation.

The risk we need is to introduce is to make banks (not customers) responsible
when banks allow themselves to be tricked w.r.t. personal identity. This would
motivate them to come up with identity verification schemes reflecting
~anything at all that the security community has figured out in 50+ years.

------
save_ferris
I get that it's the customer's responsibility to correctly configure their
services, but what does it say about the UX of AWS services that they're so
easy to misconfigure with disastrous consequences? And despite this happening
across a variety of industries, Amazon doesn't seem super concerned about it
either, but I could be wrong here.

There's just no excuse for this to keep happening, but the processes meant to
prevent this are clearly failing.

~~~
siruncledrew
The new console for AWS literally has a documentation link containing example
bucket policies at the top of the page for S3 buckets. Either someone was
given a job they clearly had no experience in or was alarmingly inadequate at
performing their job duties. It really shows the level of incompetence so many
of these companies operate at with no regard for PII.

~~~
thesmallestcat
Insecure defaults are a footgun.

~~~
joshmn
Absolutely.

Windows tells you that using a password is probably a good idea for a user
account. Many websites these days force you to use a combination of
letters/numbers/special characters.

Why doesn't Amazon say "hey, this is publicly available, you wanna fix it?"

~~~
inopinatus
> Why doesn't Amazon say "hey, this is publicly available, you wanna fix it?"

They do. It's clearly warned about in the interface both at the time you make
it so and with a big "PUBLIC" sticker label afterwards. What's more, I've
received warning emails from AWS notifying of (intentionally) public buckets.

Public buckets for private data are a deliberate and wilful choice by lazy,
reckless administrators.

~~~
ghaff
I noticed this when I went into my console the other day. (Ironically, to set
up a public bucket for something.) I don't think the UI was bad before but,
now, you'd have to be pretty clueless to have a bucket public by accident.

------
tomlong
It's frustrating that whatever I do to protect my own identity/data, no amount
of 2FA or password generators or my own good practice mitigates the loss/theft
of data/identify in this way.

I'm as good at it as anyone I know (and unsurprisingly I work in tech) and
it's still a complete crapshoot.

~~~
Veratyr
Not everything you do is futile. Refraining from distributing your data is
very effective.

------
laurencei
Is there a way I can triple check my S3 bucket is secure?

I know I've not enabled public access that I know of - but given the recent
focus on this; what are the exact steps that I need to follow so I can sleep
at night and show a level of diligence on the issue?

~~~
NathanKP
Enable Amazon Macie. It automatically classifies your data in S3 buckets,
detects situations where data is more open than it should be, and warns you if
access patterns for data change in a way that may indicate that you have been
hacked or someone is misusing their level of access to the data.

[https://aws.amazon.com/macie/](https://aws.amazon.com/macie/)

~~~
Operyl
Neat! Didn't know about that service, hopefully businesses accept that hefty
price tag though. It's obvious they don't want to invest too heavily in sec-
orgs as it stands it seems.

~~~
NathanKP
Pretty soon with the GDPR kicking in it will be more expensive to not protect
the data than it is to protect it.

All companies processing the personal data of people residing in the EU
regardless of the company’s location who have a breach of data where the
organization has been shown to violate basic privacy design concepts can be
fined 4% of annual global turnover or €20 million, whichever is greater.

It goes into enforcment in May 2018:

[https://www.eugdpr.org/](https://www.eugdpr.org/)

If Macie saves you just once from that giant fine it probably just paid for
itself for years!

~~~
napsterbr
Hey, I'm all in for that, but how do we handle data breaches on small business
where 20mil corresponds to, say, 100 years of profit?

I haven't read the law but the faq does not mention the 20mil figure

~~~
NathanKP
Here you go:

[https://www.eugdpr.org/key-changes.html](https://www.eugdpr.org/key-
changes.html)

"Under GDPR organizations in breach of GDPR can be fined up to 4% of annual
global turnover or €20 Million (whichever is greater). This is the maximum
fine that can be imposed for the most serious infringements e.g.not having
sufficient customer consent to process data or violating the core of Privacy
by Design concepts."

So that 20mil or 4% (whichever is greater) is for companies that have
seriously violated the GDPR. It remains to be seen how it is enforced, but my
understanding is that this is purposely designed to be very punitive to force
companies to have a dollar amount in mind when it comes to designing security
and doing the right thing.

------
vintageseltzer
Are there any examples of class-action lawsuits or legal consequences against
companies that expose sensitive data like this in the U.S.?

~~~
astura
Here's a discussion on the topic: [https://www.bankinfosecurity.com/data-
breach-lawsuits-fail-a...](https://www.bankinfosecurity.com/data-breach-
lawsuits-fail-a-8213)

------
pleasecalllater
Oh, another ____company... cool.

Who will get to jail? Oh, nobody.

Who will get bonuses? Oh, the management.

Who will be fired? Oh, some programmers or admins.

~~~
Jdam
looks totally like an admin shortcoming to me though

------
defined
Finding smart solutions to the issue of corporate data breaches is laudable.
Finding solutions that are feasible for use by people who are being paid the
lowest wage that the company they work for can get away with will be
miraculous, IMHO.

The reason I say this is that knowing not to give a sensitive AWS S3 bucket
public access is 101-level AWS expertise, which means either of these
scenarios are likely:

\- The persons responsible did not know any better, or

\- They did know better, but made an error provoked by pressure due to
understaffing.

Both of these point to a lack of competent security personnel, either due to
understaffing, or hiring insufficiently experienced staff, both of these due
to minimizing salary budgets (or clueless hiring managers, perhaps).

------
vvram
It's great to see attention being drawn to responsible use of cloud services,
which for most part have safe defaults. I absolutely support, responsible
disclosure but it is always uncomfortable to see that security researchers
(this particular team) goes beyond vulnerability discovery and handles the
data directly. Who is responsible for safe disposal of the data they
downloaded and analyzed ?

------
ngold
Back in the paper days. I moved into a new office only to discover a dozen or
so boxes crammed full of people's personal files. Mortgage applications and
taxes. It took a couple of weeks to track down the parent company buy all
sorts of damage could have been done had I been anyone else.

------
ryanf323
Those AWS “practitioners” who are too stupid or lazy to figure out IAM
policies. Thankfully, AWS has added bright yellow labels to identify public
buckets. However, labels won’t be enough to motivate some people to learn
JSON.

------
gldev3
Last year one of mexico's political parties left the nominal list with a lot
of citizen's information available in an AWS server, unforgivable; how come
this keeps happening.

------
hdogan
This might be related with
[https://news.ycombinator.com/item?id=15826906](https://news.ycombinator.com/item?id=15826906)

------
ssijak
Thats cool, just following whats trendy

------
LoonyBalloony
What will happen to this corporation? Any punishment at all? It didn't say in
the article.

------
zeep
Do amazon AWS servers expose everything by default?

~~~
dbenhur
No. The exact opposite, in fact.

------
jimjimjim
AWS server considered harmful.

