In another instance of a mishandled AWS S3 bucket, personal information of over one million Walmart shoppers was left exposed.
It may seem like déjà vu on a number of levels: a small, third party vendor of a large, well-known retailer accidentally leaks a huge amount of said retailer’s customer data, including names, passwords and encrypted credit card details because an AWS S3 bucket was left open on the internet.
Sounds familiar, right?
Well, this time it’s not Target, but Walmart, whose jewellery partner, MBM Company left an open S3 bucket entitled “walmartsql” to be discovered by researchers - and let’s face it, who knows who else! The incident is by no means a unique one; in fact, it is just one of a number in the past year. The frequency of occurrences in this type of data leak actually prompted Amazon to offer customer security warnings with a free S3 Bucket Permissions check last month.
Companies that utilize cloud services for storage need to understand the importance of data protection and that they are ultimately responsible for the security of their customer’s information, not the service provider. This will become even more important as regulations, such as the European General Data Protection Regulation (GDPR) comes into play in just over two months’ time.
As part of the regulation, it will be mandatory that a Data Protection Officer is appointed within the company to oversee the processes and technology to keep customer and employee data safe. There have been quite a few companies of late that have learned the lesson about the insecurity of their AWS S3 buckets the hard way.
For Data Protection Officers to stand any chance at getting a handle on the security of their organization’s most sensitive data, like employee and customer names, emails, passwords, date of birth, addresses etc, making sure it is secured in the cloud is a good place to start. Moving forward, the best way to safeguard the integrity of personal information stored on these servers is for companies to ensure that any sensitive information is encrypted or tokenized on its way to the cloud service.