Audio equipment manufacturer Sennheiser exposed personal data belonging to around 28,000 customers through a misconfigured Amazon Web Services S3 bucket, researchers revealed on Thursday.
The data in question had been collected between 2015 and 2018 and then stored on a public-facing S3 bucket that has remained dormant ever since, according to experts at VPN reviews website vpnMentor.
The data included customers' full names, email addresses, phone numbers, and home addresses, as well as the names of companies requesting hardware samples and the number of employees they had. At least 407,000 files, totaling 55Gb of data, were available.
"Sennheiser failed to implement any security measures on its S3 bucket, leaving the contents totally exposed and easily accessible to anyone with a web browser and technical skills," the researchers said.
RELATED RESOURCE
The secure cloud configuration imperative
The central role of cloud security posture management
The researchers discovered the exposed data on October 26, notifying Sennheiser two days later. Following a request for more information on November 1, the researchers sent the company the URL leading to the unsecured server along with examples of the types of information they had been able to lift. The company then locked the server down a few hours later.
VpnMentor said that if anyone had accessed the exposed data, they could have used it for identity theft, enabling them to perpetrate tax, insurance, mortgage, and credit card fraud. They could also have sent phishing emails to victims impersonating Sennheiser in order to source an even greater trove of personal information.
S3 is the storage layer supporting AWS services, and can be configured to be accessible from the public internet or to be private. However, it remains up to customers to make sure the buckets are configured correctly.
Exposing data in misconfigured S3 buckets is a common problem for AWS customers. In August, consumer ratings and review website SeniorAdvisor exposed over three million US senior's personal data via the cloud-based service. In June 2020, vpnMentor also discovered sensitive files from at least 100,000 users across multiple dating sites in exposed S3 storage.
Amazon has attempted to mitigate the problem, which typically stems from human error, with a tool to spot misconfigured resources.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Hackers are turning Amazon S3 bucket encryption against customers in new ransomware campaign – and they’ve already claimed two victimsNews Attackers are using AWS’ server-side encryption to conduct ransomware attacks
-
Dell Technologies World 2022: Dell unveils security offerings for major cloud providersNews The tech giant also added Cyber Recovery Services to its existing Apex portfolio and announced a multi-cloud collaboration with Snowflake Data Cloud
-
Denonia named as first malware to target AWS Lambda platformNews Deployment demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, Cado Security says
-
MWC 2022: Ukrainian protesters call for Russian tech boycottNews The protestors are urging AWS to “shut down” servers being used by Russian entities
-
AWS' CodeGuru Reviewer updated to tackle Log4jNews Amazon's code reviewer also now includes a library detailing every detector used by the platform
-
AWS shuts down NSO Group infrastructureNews The Israeli company’s Pegasus spyware was used to target at least 50,000 mobile phones
-
AWS Network Firewall provides network protection across all workloadsNews New firewall tools offer improved security in virtual private clouds
-
EU charges Amazon over misuse of third-party dataNews The EC claims Amazon broke competition rules by using data gathered on third-party sellers to compete against them
