Skip to content ↓ | Skip to navigation ↓

Security researchers found an unprotected database stored on the cloud that contained detailed information of over 80 million U.S. households.

vpnMentor’s Noam Rotem and Ran Locar discovered the unprotected database hosted on a Microsoft cloud server during the course of a web mapping project. When they peered inside, they found that the asset contained 24 GB of information pertaining to 80 million U.S. households–more than half of the total number of American homes. These details included the number of people living at each household along with each of these individuals’ full names, marital status, income bracket and age.

Screenshot of a typical entry from the database. (Source: vpnMentor)

As noted by the researchers in a write-up of their discovery, digital criminals can abuse these pieces of information to commit identity theft, stage phishing attacks, infect individuals exposed in the data leak with ransomware, collect data for future attacks and even burglarize their homes.

Rotem and Locar indicated that they didn’t know to whom the database belonged, though based on the information involved, they made an educated guess that an organization in insurance, healthcare or mortgages owned the asset. They then asked the public for help them in identifying the database’s owner so that they could let them know about the data leak.

Shortly after their research went live, however, Microsoft took down the database and issued the following statement: “We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured.” The tech giant did not publicly release the name of the owner.

Tim Erlin, VP of Product Management & Strategy at Tripwire, explains that it’s not unusual for the identity of an owner of exposed data to be unknown. He admitted that the security community could only speculate about the exposure until (if ever) it learned the identity of the owner. But he did explain that organizations can protect themselves against suffering similar exposures in the meantime.

It’s clear, after so many incidents, that organizations do not have control over access to their data stored in the cloud. It’s not for a lack of tools, but a lack of understanding and implementation of the available tools. If you are storing data in the cloud, you can and should be able to audit the access permissions for that data on a continuous basis.

To adequately protect their cloud-hosted data, organizations need to follow a strategy to tighten their cloud security stance. This approach should involve the use of the solution built on top of fundamental security controls. Learn how Tripwire fulfills this recommendation.