The Australian Broadcasting Corporation (ABC) leaked sensitive data online through a publicly accessibly Amazon Web Services (AWS) S3 bucket.
Public search engine Censys indexed the misconfigured asset on 14 November during a regular security audit of the S3 environment. Researchers at the Kromtech security center don't know who might have accessed the AWS S3 bucket before its discovery. However, they do have a firm grasp on what those individuals could have accessed from ABC Commercial, a division which specializes in content sales and marketing for the broadcasting giant.
The S3 bucket exposed multiple sources of sensitive and identifiable information including the following:
- Thousands of logins, usernames, and hashed passwords that ABC Commercial users need to access ABC content.
- Requests from TV and movie producers for licensed content.
- Secret access key and login details that someone could use to view another repository containing video content.
- 1,800 daily MySQL database backups dating back to 2015.
Redacted screenshot of one of the user tables in MySQL database backups, all publicly available. (Source: Kromtech)
With the assistance of researcher Troy Hunt, the team at Kromtech got in touch with ABC and notified it of the exposure. ABC Technology specialists thereafter secured the buckets within minutes. The broadcasting giant confirmed this account to The Register
on 17 November and said it's currently investigating a data breach with respect to the misconfiguration.
Bob Diachenko, Kromtech's chief communication officer, feels
that the incident at ABC is part of an ongoing trend involving data breaches:
The most unfortunate part is that the issue occurred due to human error and not a malicious attack. It seems like every few days there is yet another data breach, ransomware threat or a new security flaw and companies or organizations must do more to be proactive in how they store sensitive data online.
For information on how to secure their S3 buckets, organizations should look to these best practices
along with some new encryption and security features
unveiled on 6 November. They should also focus on implementing security controls
to help defend their S3 buckets and other assets against digital threats.