Reindeer data breach: Small mistake, big consequences

News / Reindeer data breach: Small mistake, big consequences

Reindeer data breach: Small mistake, big consequences

For the vast majority of organisations, the confidentiality of their data is paramount for both business operations and the faith as well as loyalty of both customers and investors alike. Knowledge is power and threat actors aim to utilise it for their gain.   

Recently, Reindeer, a defunct American marketing company which has worked with brands like Tiffany & Co., Jack Willis and Patrón Tequila, left over 300,000 customers from its clients, across 35 countries, exposed due to a misconfigured S3 Amazon bucket. The data exposed details of approximately 306,000 customers in total and included over 1,400 profile pictures. Names, email and physical addresses, dates of birth, hashed passwords, and Facebook IDs were among the personal information discovered. Patrón Tequila was the client with the most customers’ Personally Identifiable Information (PIIs) exposed. 

Worse still, this is not the first company to run afoul of this sort of cybersecurity oversight. Recently SeniorAdvisor, which runs a customer ratings and review site on senior care, left millions of senior citizens’ sensitive data exposed PIIs such as surnames, emails, phone numbers, and dates contacted due to a misconfiguration with their Amazon S3 Bucket. Last year, Prestige Software, a vendor for the hospitality industry, exposed millions of records related to brands like Expedia, Hotels.com, and Hotelbeds due to the same mistake with their bucket. 

As more and more corporations rush onto cloud resources, scrambling for the great benefits, misconfigurations and errors in deployment, even ones that are easy to avoid given the proper oversight, are becoming more and more frequent and the consequences are increasing. 

What is an S3 Amazon Bucket? 

Amazon Simple Storage Service (Amazon S3) by Amazon Web Services (AWS) is a cloud storage resource that a number of businesses, both big and small, utilise to store and protect data, ranging from data lakes and websites to backup and restore and IoT devices. There are a number of applications that make Amazon S3 a popular choice for businesses. 

Amazon S3 buckets themselves are comparable to file folders, storing objects, their data and its descriptive metadata.  

S3 staple feature, S3 Block Public, allows you to block public access to objects both at the bucket and account level. However, a number of businesses are failing to configure their S3 buckets to properly utilise this feature and prevent public access, meaning anything that they store in their cloud remains exposed to the wider internet, just waiting for threat actors, who are often quite adept at reconnaissance and utilising keywords to play search engines, to find and take advantage of. 

What are the consequences of a data breach? 

One thing that massive data breaches like the one with Reindeer and SeniorAdvisor show is that one simple mistake can have devastating consequences for the confidentiality of high-value assets.  

WizCase’s cyber researchers, who discovered the breach at Reindeer, notified Amazon and also tried to contact Reindeer’s former owner via the US Cert about the 50,000 files exposed because of the misconfigured bucket, although proved unsuccessful on the latter. The dates of the leaked data range from May 2007 to February 2012. 

A hacker’s delight 

Breaches in confidentiality can lead to providing hackers with sensitive data which they can utilise to facilitate their cyberattacks. The extent of which this may have already occurred with the exposed information of Reindeer, as well as other businesses with misconfigured Amazon S3 Buckets, remains unknown as threat actors don’t often publicise their attack vectors. 

Those affected are more likely to be the victims of phishing scams, where hackers will utilise personal information that victim often won’t realise is online to psychologically leverage them into clicking on links or attachments which could, for example, introduce ransomware onto company servers if they’re an employee at work. 

It’s very possible the scammers could even impersonate the companies affected to dupe their customers into giving out even more sensitive information. 

Can vendors be trusted? 

Reindeer’s breach puts into question how trustworthy third-party vendors can be with cybersecurity standards and practices. Many companies who, individually, may have excellent cybersecurity measures can still be easily compromised if a vendor they are sharing a connection and data with doesn’t measure up. 

Negative publicity can put pressure on companies reliant on these data-breached vendors to switch, especially by respective competitors, meaning these sort of serious data breaches can often cause vendor organisations without a robust enough cybersecurity posture to lose business and even go out of business. 

Companies’ reputations, both vendor and client, often have a lot of difficulty recovering from the fallout of data breaches. In this case, it’s especially true as the configuration and permission/access errors are often due to organisations' own haste in taking advantage of an in-demand, online resource that they may not fully understand as well as neglect of cybersecurity best practices. 

Recommendations 

As companies rush to move technology onto cloud-based services in order to keep up with their competitors, misconfigurations and errors in deployment have increased exponentially. These are unfortunately very easy errors to make in cloud configuration and their permissions/access and vulnerabilities can easily rack up without an organisation’s knowledge. 

Organizations need to correctly implement network-based access controls and apply security policies to proactively protect themselves and their customers against sensitive data breaches.  

It’s further highly recommended that companies moving onto cloud resources have a cybersecurity system in place that monitors and tracks cyber assets, flagging up misconfigurations and errors in their cloud infrastructure which need to be dealt with.

How secure is

your business?

Security test

How secure is

your business?

Security test