Financial news organization Dow Jones had accidentally exposed data of at least two million customers, after misconfiguring the Simple Storage Service (S3) that is part of AWS public cloud.
The datatasets included the names, home and business addresses, email addresses, and last four digits of credit card numbers, and could be accessed by anyone with a valid AWS account.
The issue was originally discovered by cyber security specialist UpGuard at the end of May. Even though no financial information was exposed, UpGuard warned that this type of contact data could be easily used to phish Wall Street Journal subscribers. The company has criticized Dow Jones, calling its efforts a “sluggish response.”
There is no evidence that Dow Jones customer information was ever accessed by third parties.
Dow Jones & Company is a publishing and financial information company with more than a century of history, owned by News Corp. since 2007. It provides news for professionals working in financial markets and its flagship media properties include the Wall Street Journal, Barron’s Magazine and Heat Street.
In May, researchers from UpGuard discovered that a cloud-based file repository owned by Dow Jones was wide open to anyone with an AWS account, due to a mistake in its permission settings. AWS accounts are free to register, and there are at least a million in use today.
The repository included information on subscribers, as well as 1.6 million entries in Dow’s Risk and Compliance database. The team at UpGuard was able to download the entire database, before the issue was resolved on 6 June.
Dow Jonezs has estimated the number of affected users at 2.2 million, but UpGuard puts the number close to 4 million.
“The revelation of this cloud leak speaks to the sustained danger of process error as a cause of data insecurity, with improper security settings allowing the leakage of the sensitive information of millions of Dow Jones customers,” cyber resilience analyst Dan O’Sullivan wrote on the UpGuard blog.
“The data exposed in this cloud leak could be exploited by malicious actors employing a number of attack vectors already known to have been successful in the past. Finally, the aversion of Dow Jones and Company to notifying affected customers of this data exposure denies consumers the ability to swiftly act to protect their own personal information.”