Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/1/2019
05:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Attunity Data Leak Exposes Sensitive Files at Ford, TD Bank

Three unsecured Amazon S3 storage buckets compromised more than 1TB of data belonging to Attunity and its high-profile clients.

Data management firm Attunity exposed more than 1TB of sensitive data via three misconfigured Amazon S3 buckets, security firm UpGuard disclosed late last week. The mistake compromised Attunity's internal corporate information as well as data of high-profile businesses, including Ford, TD Bank, and Netflix.

UpGuard researcher Chris Vickery found publicly accessible S3 storage buckets "attunity-it," "attunity-patch," and "attunity-support" on May 13, 2019. While the total amount of compromised data has not been confirmed, Vickery downloaded a sample of about 1TB, which included 750GB of compressed email backups, UpGuard reports.

"Attunity-it" held the bulk of sensitive data as well as the oldest files, which were uploaded in September 2014, though this doesn't mean they have been publicly accessible since then. The newest files were uploaded days before the discovery. Attunity was notified of the exposure on May 16. Following complications related to time zone disparities and Attunity's recent acquisition by business intelligence company Qlik, public access to the buckets was removed on May 17, 2019.

"Attunity was notified in mid May of an issue related to internal company data stored in AWS S3 buckets," writes Qlik spokesperson Derek Lyons in a statement. "Attunity personnel responded quickly to ensure that the data was secured. Attunity customers deploy and operate the software directly in their own environments, and therefore Attunity doesn't store or host sensitive data."

While AWS S3 bucket leaks are fairly common, Attunity's stands out for a few reasons. For starters, Vickery says, it wasn't difficult to discover three of its publicly accessible repositories. He usually finds one, maybe two or three, for a single company with one search. These businesses likely have more exposed, but the buckets' names may have terms he doesn't explicitly search. When Vickery used "Attunity" as a term, the search yielded these results.

"Finding three so quickly for Attunity was a little out of the ordinary," he says. This was "surprising" for a cloud migration and data integration business that counts 2,000 enterprises and half of the Fortune 100 among its clients. A file exposed among the buckets contained a client list with a number of organizations containing that description, he reports.

What Went Exposed?
Attunity's S3 buckets included details of internal projects at Ford, software upgrade invoices for TD Bank, and information on technology it was configuring for TD Bank. Vickery found backups of Attunity employee OneDrive accounts, which spanned a range of data that people need to do their jobs: emails, system passwords, sales and marketing contact info, project specifications.

"What made it even more surprising was the amount of employee email content," Vickery continues, adding that "you never know what's going to be in an email archive." Some of the exposed emails contained company account passwords written in plaintext, he points out.

Exposed files included documentation of Attunity's internal systems, documents describing how they will process customer data, and spreadsheets of employee information displaying full names, department, location, job title, date of hire, annual salary, and a range of other details. Adding to the risk, Vickery found employee ID numbers that are linked to Attunity's US employees use the same numbering scheme as Social Security numbers, leading to the idea the two may be the same. Researchers were able to confirm the Attunity employee IDs were valid SSNs; however, they were not able to verify the employee ID number for a person was also their SSN.

"The amount of data that was present was pretty extensive," says Vickery. "Whenever you have over a terabyte, that catches your attention." UpGuard notified Attunity of its findings, as well as its own clients that were affected by the exposure.

Cutting Third-Party Risk
The exposure of login credentials, particularly administrative credentials, increases the potential reach of someone who accessed these buckets. UpGuard researchers don't attempt to use credentials and cannot confirm the level of access provided by those exposed in the Attunity leak. Vickery says the question is what level of access Attunity has to client networks.

"Clients could be giving Attunity access that at some point is privileged, to a degree," he explains. If this is the case, it's hard to imagine a scenario in which the client wouldn't be at risk.

System credentials could be found in several places across the Attunity data set, serving as a reminder of how that data should be stored within an organization. Credentials such as private keys were stored and exposed in directors for configuring their respective systems. If exposed credentials and data pose a risk to Attunity, they pose a risk to the data that Attunity processes.

Vickery advises companies with major enterprise clients to "never upload anything to a third-party cloud that's not already encrypted." Encrypted data stored in a misconfigured bucket isn't as big a deal; even if a researcher or attacker finds it, they won't be able to read it. The publicly accessible buckets Vickery found belonging to Attunity had information stored in plaintext.

When establishing contracts with third parties, he also suggests including "very clearly defined areas" where the data will be stored and managed, as well as URLs to the buckets where data will be backed up. One of the two parties owns or controls this "neutral storage zone," he explains, but both will be able to verify whether the data is publicly accessible.

As per Lyons' statement, Qlik is still in the process of investigating this issue and has consulted outside security firms to conduct independent evaluations. At this point, findings indicate UpGuard, the security firm that alerted Qlik, is the only one to externally access the data.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13640
PUBLISHED: 2019-07-17
In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.
CVE-2019-5222
PUBLISHED: 2019-07-17
There is an information disclosure vulnerability on Secure Input of certain Huawei smartphones in Versions earlier than Tony-AL00B 9.1.0.216(C00E214R2P1). The Secure Input does not properly limit certain system privilege. An attacker tricks the user to install a malicious application and successful ...
CVE-2019-1919
PUBLISHED: 2019-07-17
A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account w...
CVE-2019-1920
PUBLISHED: 2019-07-17
A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface. The vulnerability is due to a lack of complete error handling conditi...
CVE-2019-1923
PUBLISHED: 2019-07-17
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by access...