Held to ransom: another reason to protect your cloud data

Cloud data stores are an increasingly popular target for attackers. Time and again mistakes made by IT staff and contractors have left them wide open to hackers, exposing huge troves of sensitive customer information. And all of this data could end up for sale on the dark web, as part of yet another data breach. But there’s another very good reason why firms need to lock down any internet-connected databases: attackers are also stealing the contents and holding it to ransom.

The latest victim, one of Mexico’s longest-established bookstores, last month discovered that hackers had removed 2.1 million customer records and left a ransom note. If you’re using cloud databases, it’s worth running a security audit to make sure your organization is not next on their list.

What happened?

Librería Porrúa is a bookseller and publisher with a history dating back over 100 years. But its foray into the online world appears to have backfired after researchers discovered a MongoDB instance exposed to the public-facing internet with no password protection. Even worse, it was available at two IP addresses, doubling the opportunity for hackers to find it.

Despite being informed by the white hats on 15 July, the firm doesn’t appear to have heeded the warning. Three days later, the contents of the database were wiped out and replaced with a ransom note for $500, to be paid in Bitcoin.

In total, over two million customer records were taken. They fell into two sets:

• The first contained 1.2 million records including names, addresses, phone numbers, emails, shipping numbers, invoice details, and hashed payment card info
• The second featured 958,000 records including full names, dates of birth, phone numbers, discount card activation codes and more

Not the first, or the last

This isn’t the first time a company has been hit by hackers demanding ransom for online data they’ve stolen. In 2017, several cases emerged in similar incidents that affected tens of thousands of organizations.One wave of attacks from a single group compromised 76,000 firms and 22,000 servers, earning over $100,000 in just a few days from their ransom demands.

Another much larger attack in February 2018 affected the Sacramento Bee newspaper. In that incident, the personal details of 19.5 million Californian voters in an online MongoDB database were encrypted by hackers – rendering it useless. The bad guys are increasingly capable of automating the search and discovery of such databases, using simple tools like IoT search engine Shodan.

More than ransom

The impact on companies affected by these types of security breaches extends beyond the ransom they may be forced to pay to regain access to customer data. The loss of sensitive data can also lead to:

• Regulatory fines, especially if any of the customers are EU citizens (as GDPR rules will apply, with fines potentially reaching €20m or 4% of global annual turnover)
• Customer churn stemming from the loss of confidence in the brand – especially in industries where competition is fierce, such as online retail
• Falling share price, also resulting from the impact of reputational damage
• Costs related to the investigation, remediation and clean-up of the original security incident
• Legal costs, if aggrieved customers decide to launch a class-action lawsuit

A bigger problem

This isn’t just a MongoDB issue, of course. Misconfigured cloud databases are regularly being probed by hackers to see if they can grab lucrative personal data to sell on the dark web. Amazon Web Services (AWS) instances are often at the center of such incidents, with security researchers frequently highlighting accounts that have been left public without password protection.

One security vendor has claimed that 7% of all S3 buckets are left completely exposed to potential hackers, and 35% are unencrypted.

What happens next?

Hackers will usually prioritize the low-hanging fruit: attacks which generate the biggest return for the minimum investment of time and resources. That makes exposed online databases a particularly attractive prospect. Fortunately, securing them is also pretty straightforward.

Consider trying the following:

• Educate employees and third-party contractors on best practices for configuring cloud databases
• Run a risk-based audit of all your cloud data, where it is, how sensitive it is, and what security controls are currently in place
• Follow the MongoDB checklist for improved authentication, encryption and limited network exposure
• MongoDB Cloud Manager and MongoDB Ops Manager provide continuous backup with point in time recovery, and users can also set up alerts to tell them if any data is publicly exposed
• Draw up and strictly enforce security policies to restrict who can access and change cloud infrastructure settings
• Amazon S3 buckets are configured as private by default
• Take advantage of enhancements AWS introduced in November 2018 to reduce the chance of misconfigurations
• Use a Cloud Access Security Broker (CASB) to locate sensitive data and audit configuration settings