James Thew - Fotolia

Australian broadcaster hit by data breach

The Australian Broadcasting Corporation is the latest organisation to fall prey to misconfigured Amazon S3 storage buckets, exposing database backups and sensitive data such as login credentials

This article can also be found in the Premium Editorial Download: CW ANZ: CW ANZ: Prepare for EU data law

Australia’s national broadcaster Australian Broadcasting Corporation (ABC) has inadvertently exposed sensitive data, including information on production services and stock files held at Amazon’s S3 cloud storage service.

The blunder was reported on l6 November 2017 by Kromtech, a cyber security expert, which attributed the data leak to at least two misconfigured S3 buckets that could be accessed publicly.

According to Kromtech, the leaked data also comprised database backups, along with e-mail addresses, login information and hashed passwords used by ABC Commercial users, including members of the media, to access ABC’s content.

Kromtech said the S3 bucket was indexed by Censys, a search engine backed by internet-wide scanning, giving anyone with an internet connection the ability to browse the leaked data. The incident surfaced during a regular security audit conducted by Kromtech on 14 November 2017.

“It is unclear who else may have had access to ABC’s data or content. A majority of what would be considered sensitive or identifiable data came from the daily backups of ABC Commercial’s MySQL database,” Kromtech said, adding that all affected S3 buckets were successfully secured in minutes.

ABC Commercial is the ABC’s commercial arm that markets and sells ABC’s services and content used by media producers from all over the world in exchange for royalties.

The latest data breach follows an earlier incident in 2013 when an ABC-commissioned forum website was reportedly hacked, exposing data such as usernames and email addresses of some 50,000 users.

More recently in September 2017, Accenture reportedly exposed highly sensitive data about its cloud platform, inner workings, client information and 40,000 plain text passwords, also due to misconfigured S3 storage buckets.

While Amazon has recently introduced new S3 encryption and security features, such as default encryption and permission checks, cyber security experts have said that such data leaks could have been averted if basic cyber security hygiene practices were in place.

Read more about cyber security in Australia

Yun Zhi Lin, vice-president of engineering in the Asia-Pacific region at global consultancy Contino, told Computer Weekly that organisations could use more suitable services for storing sensitive data, such as Amazon Web Services (AWS) Parameter Store or Key Management Service. The data could also be protected with server side encryption, and accessible only via virtual private cloud resources.

Raj Samani, chief scientist and fellow at McAfee, said the recent host of data breaches haven’t been caused by malicious actors, but rather by human error. “The reality is that as more companies become focused on their cyber security strategy many are unconsciously shooting themselves in the foot in their efforts to be secure,” he said.

“It is now not unusual for companies to have over 10 security tools to monitor, meaning that unsecured data becomes much harder to spot. The cyber security industry needs to focus on making sure that tools can operate together, removing siloed security teams and making it easier for companies to protect data, detect potential threats, and work to effectively correct them.”

Read more on Data breach incident management and recovery