With the incident, a misconfigured AWS S3 bucket at V Shred, is repored by ZDNet, to have exposed more that one million files, including persoanl data relating to some 99,000 people associated with the fitness brand’s customers. This arose because the AWS bucket was completely opened to the public.
Concerns with the type of data that has been exposed have been picked up by Balbix CTO Vinay Sridhara. The analyst is concerned with one of the responses from V Shred about the exposed data not being seen as important. Sridhara explains that just because information does not “seem” important this does not mean that the data cannot be used by hackers.
Sridhara says this is down to the nature of the environment within which the data was held: "The challenge of cloud environments is that the chance of misconfigurations greatly increases, and many organizations assume that major third-party providers have strong default security standards."
Sridhara clarifies: "Combined, these factors often lead to lax security in cloud environments. In the case of V Shred, the S3 bucket was left completely open to public access and included identifiers in the URL that made user information easily identifiable. Perhaps even more concerning is that V Shred responded to the vulnerability by saying they it was necessary to have the files open and that no personal identifiable information was exposed."
With this point, Sridhara notes: "Though some information may seem “harmless,” any compromised data can increase the chances of a highly targeted (and effective) phishing scheme, making it easier for hackers to track and compromise people online. Only implementing security measures that can monitor risk in cloud environments will ensure that the public is fully protected.”