Data Often Left Unsecured As More Companies Rely On Cloud-Based Systems
MOUNTAIN VIEW (KPIX) -- It's part of our mobile-connected lifestyle: storing much of our personal information on the cloud as backup to keep it safe. But the cloud has leaks that have put millions of Americans' private information at risk.
To all the lazy, ignorant, and careless IT administrators out there, consider this your warning.
Chris Vickery spends his days poking around databases looking for sensitive data left out in the open, unprotected on the internet. For legal reasons, we can't even look at the screen when he's doing this.
In just a few minutes, jackpot. "Ok, so we have now a 54 gigabyte database backup, completely exposed to the public internet," he said.
Vickery is a legend in cloud security. Which means he's not just good, he's damn good. "How much damage could you do with that information?" we asked him.
"If I were a bad guy, there's no telling, said Vickery. "It all depends on what access has been granted to that account. But the point is, there's 54 gigs here. And I just found that by scrolling through and doing a little Ctrl-F. With time, resources, a team, you could potentially destroy the company."
Vickery is a cyber risk analyst at Upguard, a five-year-old startup based in Mountain View. He is trying to raise awareness about the massive amounts of data currently stored in the cloud and up for grabs.
How easy is it to find this unsecured data? "I could teach a monkey to do this," he said.
It's sensitive stuff, stored in repositories referred to as "buckets" on web servers owned mostly by Amazon Web Services, Google and Microsoft. They're supposed to be password-protected. But some are left open, exposing the data inside.
This year alone, Vickery stumbled upon a bucketful of data from the Republican National Committee, including dates of birth, home addresses, phone numbers and voter registration details on 198 million voters. It's the largest known data exposure of its kind.
Another bucket he found contained date of birth, driver licenses and partial social security numbers of 1.8 million Chicago voters.
Yet another: names and cellphone numbers of 14 million Verizon subscribers, all sitting in a bucket that had no password protection.
Upguard CEO Mike Baukes says the exposures usually happen when companies migrate their data from their own in-house hard drives to the cloud, which itself is relatively new and complex technology.
"It's pretty evident why they've done it. They've done it for the human need to make things simpler, ultimately," said Baukes. "But then the unfortunate thing is that they've unintentionally left a lot of stuff open to the rest of the human population."
Many companies don't have the expertise on staff, so they hire a third-party vendor, who may hire another third-party vendor, passing all your private information from one hand to another. "The primary person you are working with you may be able to engage with their security, but you don't know anything about what the vendor is doing," said Betsy Cooper, Executive Director of the UC Berkeley Center for Long Term Cybersecurity.
"They take your data for a very short amount of time and then they move it forward, in that case there is the opportunity for lots of different touch points and therefore lots of different possible issues," said Cooper.
In the Chicago voter database breach, a third-party company that runs voting systems all over the country - ES&S - admitted it was to blame. "When we set it up, we set it with the wrong security settings," said ES&S CEO Tom Burt.
Verizon's data breach happened through a third-party vendor called Nice Systems, that did not respond to our request for comment..
In a statement Verizon said, "No Verizon customer information was lost or stolen. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention." Verizon also said six million customers were exposed by the breach.
Upguard says word is getting out, and they have noticed cloud service providers making setups more secure, but it's a long road ahead. Until then, for Vickery, everyday is like a birthday-Christmas-treasure hunt, all rolled into one.
By the way, Upguard always gives the company that left the unguarded data on the cloud a heads up, and makes sure the unsecured data is secured -- before alerting the public.