Another day, another leaky S3 bucket

Email update, 2 November 2017

Apparently, 50,000 Australians had their personal details stored on an Amazon S3 bucket without the correct permissions:

Credit card details, salary information published by government contractor

The personal details of up to 50,000 Australians — including some credit card numbers and salaries — have been mistakenly posted online by a contractor, in one of the biggest data breaches to date.

The information, including full names, emails, expenses and payment details, was publicly available online until early October.

The breach, first reported by ItNews, was discovered by a Polish security researcher who searched for data that should have been protected online.

Close to 25,000 credit card transactions of staff at insurer AMP were disclosed by the contractor, which has not yet been named.

The Finance Department, the Australian Electoral Commission and the National Disability Insurance Agency have also been compromised.

Calling it “one of the biggest data breaches to date” is slightly overselling it in the context of Equifax’s 130 million records, but they probably mean “In Australia”.

This is just the latest in a very long string of S3 storage buckets left open for anyone to access. At this point they’re practically a weekly occurrence.

To be clear, there’s no excusing this sort of poor security practice by the owners of the data, but I do have some sympathy: Amazon’s AWS interface is famously unintuitive, and their S3 access permissions are even more so. Getting this wrong is easier than it should be, and usability is half the battle in any security model. Blaming the user only gets you so far.

The problem in a lot of these stories seems to be the use of the “Authenticated Users” access control group within S3. When setting this permission, it’s likely that people are interpreting it as “only me and other people I specify”, when it actually means “anyone with an AWS account” - i.e., public.

Mark Nunnikhoven has written up a useful guide explaining how to get this right, which is worth reading if you want to avoid being the next “leaky bucket” headline.