UpGuard: Unsecured Amazon S3 Buckets Exposed 1 TB of DataCloud-Based Databases Belonged to IT Firm Attunity
Several unsecured Amazon S3 buckets belonging to IT services firm Attunity left at least 1 TB of data, including files from companies such as Netflix, TD Bank and Ford, exposed to the internet, UpGuard researchers disclosed in a recent report.
The UpGuard research team first found the three open Amazon S3 databases on May 13 and immediately contacted Attunity.
By May 16, Upguard notified Attunity about the unsecure S3 buckets, which had names such as "attunity-it," "attunity-patch" and "attunity-support." By the next day, public access to the buckets had been removed, accoding to UpGuard's blog. Attunity is an Israeli firm that offers data management, warehousing, and replication services for about 2,000 customers, including many in the Fortune 100, according to the company's website.
The UpGuard researchers published their findings in a June 28 blog.
Securing the Database
It's not clear from the research if anyone actually downloaded or accessed the data within these three S3 buckets. Of the 1TB of data that UpGuard researchers found and examined, the databases contained 750GB of email backups as well as Microsoft OneDrive accounts that included email correspondence, system passwords, sales and marketing contact information, project specifications and more, according to the blog.
A spokesperson for Qlik, which was acquiring Attunity at the time UpGuard found the exposed S3 databases, tells Information Security Media Group that the company is working to ensure that both firms have uniform security standards for any data stored in the cloud.
"We are still in the process of conducting a thorough investigation into the issue and have engaged outside security firms to conduct independent security evaluations," the Qlik spokesperson says. "We take this matter seriously and are committed to concluding this investigation as soon as possible. At this point in the investigation, indications are that the only external access to data was by the security firm that contacted us."
It's not clear when Attunity first moved the customer data to the cloud, but the UpGuard researchers found that the largest of the three databases - attunity-it - contained data dating back to September 2014. The researchers also found that the company was still uploading data to that specific bucket until a few days before UpGuard contacted Attunity.
The data that UpGuard researchers found varied, but some examples include client lists belonging to Attunity customers, system credentials that included private keys, and system information that included SAP files and data.
In its blog, UpGuard showed some specific examples of what its researchers found, including a Ford project presentation, a software upgrade invoice belonging to TD Bank and database authentication strings from Nextflix.
The UpGuard research also showed that the databases contained information on Attunity employees based in the U.S., including one spreadsheet with nine-figure ID lists that appear to correspond to Social Security numbers. Other personally identifiable information on that spreadsheet includes first and last names, payroll ID, job title, the name of the direct supervisor and salary information.
"The risks to Attunity posed by exposed credentials, information and communications, then are risks to the security of the data they process," the UpGuard researchers write. "While many of the files are years old, the bucket was still in use at the time detected and reported by UpGuard, with the most recent files having been modified within days of discovery."
UpGuard researchers have a track record for finding these types of internet-exposed databases.
In April, the company made headlines when it published a blog that reported two third-party Facebook application developers exposed users' personal information by leaving the data exposed without a password in unsecured Amazon Web Services S3 buckets. One data set contained 540 million unsecured records, although it's not clear how many users were affected (see: Millions of Facebook Records Found Unsecured on AWS).
In 2018, UpGuard researchers found a misconfigured database belonging to a large medical practice that allegedly left information about thousands of patients - plus staff - exposed (see: Misconfigured Server Exposes Patient Data).
In its most recent examination of the Attunity-owned S3 buckets, UpGuard researchers note that 1 TB of data was what their team was able to find before contacting the company. The databases could be even larger and could have contained even more data, according to the blog.