AWS Misconfiguration and Data Exposure
29 August 2020
On 11th May 2020, an automated AWS email sent to SSL247 was received by our Dev team. It reported a misconfiguration with an Amazon Web Services S3 bucket. Our engineering team assessed and corrected the misconfiguration within minutes.
We subsequently learned that review site vpnMentor had originally brought this to Amazon’s attention, prompting their outreach to SSL247.
On 25th August, vpnMentor published a report about the May exposure. We learned on 25th August that vpnMentor had used a non-personal mailbox to blind carbon copy (bcc) our general Marketing and Support email aliases on the 6th May 2020. Two SSL247 employees who received the email both interpreted the message content as an unsolicited and generic broadcast marketing message, and therefore did not escalate it within the organisation. The employee’s response to the email does not represent our organisation’s policies and enhanced training will be provided company-wide to prevent a future occurrence.
However, upon understanding the legitimacy of the report from Amazon, our team conducted an internal audit and confirmed the miss-configuration of an AWS bucket. The vulnerability potentially could have given AWS users access to approximately 479,000 files, mainly consisting current and legacy marketing literature and current and legacy public website assets, current and legacy product data sheets, invoices and applicant CVs. The potential access span was 41 days. The misconfiguration was corrected within minutes of the Amazon notification.
This information is localised in the AWS-related part of our business and there is no evidence indicating that any of the files are available on the Web, or the Dark Web. No login credentials were exposed or compromised. No personal data has been found to have leaked and the misconfiguration only, potentially, gave AWS users access to these files.
The exposure does not affect the security, identity, or reliability of any SSL certificates or digital IDs sold by SSL247, nor does it extend to any of our partners’ systems. No private keys were compromised.
SSL247 takes the security and privacy of customer and applicant data very seriously and is taking the following steps to ensure there are no additional vulnerabilities, and to communicate with parties whose personal information may have been exposed:
- Remedied the misconfiguration reported to us by AWS on 11 May within minutes of receipt
- Conducted a full audit and pen test of our AWS environment; no known vulnerabilities exist today
- Ongoing Web and Dark Web monitoring for files potentially exposed
Customers should address any questions to their account manager, partners should contact their existing SSL247 commercial contact, and past candidates should contact recruit@SSL247.com
We appreciate the efforts of all academic and research bodies as they work to assist the broader internet security landscape in meeting the highest standards in data privacy and security.
Send us your comments
Your comment will not be published. If you have a question, do not forget to write your email address so that we can get back to you!