Another day, another leaky S3 bucket
Apparently, 50,000 Australians had their personal details stored on an Amazon S3 bucket without the correct permissions:
The personal details of up to 50,000 Australians — including some credit card numbers and salaries — have been mistakenly posted online by a contractor, in one of the biggest data breaches to date.
The information, including full names, emails, expenses and payment details, was publicly available online until early October.
The breach, first reported by ItNews, was discovered by a Polish security researcher who searched for data that should have been protected online.
Close to 25,000 credit card transactions of staff at insurer AMP were disclosed by the contractor, which has not yet been named.
The Finance Department, the Australian Electoral Commission and the National Disability Insurance Agency have also been compromised.
Calling it “one of the biggest data breaches to date” is slightly overselling it in the context of Equifax’s 130 million records, but they probably mean “In Australia”.
To be clear, there’s no excusing this sort of poor security practice by the owners of the data, but I do have some sympathy: Amazon’s AWS interface is famously unintuitive, and their S3 access permissions are even more so. Getting this wrong is easier than it should be, and usability is half the battle in any security model. Blaming the user only gets you so far.
The problem in a lot of these stories seems to be the use of the “Authenticated Users” access control group within S3. When setting this permission, it’s likely that people are interpreting it as “only me and other people I specify”, when it actually means “anyone with an AWS account” - i.e., public.