‘Wall Street Journal’ parent exposes 2.2M customers’ data in cloud storage error
The information of more than 2 million Dow Jones customers was left exposed online after the company made an error in the access preferences on a cloud storage system, the publisher said Monday.
The names, addresses, account information and last four digits of credit card numbers of some subscribers of Dow Jones publications — including The Wall Street Journal and Barron’s — was available to anyone who had an Amazon Web Services account.
Chris Vickery, director of cyber risk research at UpGuard, found the exposure May 30 while he was searching for exposed data on AWS servers. He said Dow Jones said it had secured the data on June 6.
Dow Jones said the data was secured immediately after the company was notified and it has “have no evidence any of the over-exposed information was taken.”
Vickery believes the employee who set the bucket to be viewed by “Authenticated Users” did not realize that meant the information would be available to all AWS users, not just Dow Jones employees.
The Wall Street Journal reported on the exposure Sunday.
The data exposure follows Verizon’s admission last week that a vendor had left the names, addresses, and in some cases, PINs, of 6 million customers exposed on Amazon’s cloud storage platform. The Dow Jones leak had the potential to be worse because it contained partial credit card information.
Dow Jones did not notify customers because the information had not been stolen and “the over-exposed data did not include full credit card or account login information that could pose a significant risk for consumers or require notification,” the company said in a statement to USA TODAY.
Cybersecurity experts are warning more such leaks are likely as companies increasingly use cloud storage services to store and analyze their data without fulling understanding security protocols.
The dominant provider of cloud services, AWS operates under a “shared responsibility” model with the customer. The fast-growing Amazon unit controls the physical security and operating system, and gives customers encryption tools, best practices, and other advice to help them maintain security of their data. A spokesperson didn’t immediately respond to a request for comment.