back to article Cayman Islands investment fund left entire filestore viewable by world+dog in unsecured Azure blob

A Cayman Islands-based investment fund has exposed its entire backups to the internet after failing to properly configure a secure Microsoft Azure blob. Details of the fund's register of members and correspondence with its investors could be freely read by anyone with the URL to its Azure blob, the Microsoft equivalent of an …

  1. Doctor Syntax Silver badge
    IT Angle

    any other small firm whose think their main business is not focused on IT

    When a firm is dependent on IT it's an IT business whether it thinks it is or not. This sort of thing is the result of thinking it isn't.

    1. Anonymous Coward
      Anonymous Coward

      "When a firm is dependent on IT it's an IT business"

      Change IT to electricity - does that still work?

      1. Doctor Syntax Silver badge

        Does electricity have the same risk profile?

        1. cookieMonster

          It does if you’re the electrician or company installing it, some severe penalties for not following national standards and laws.

          1. Disgusted Of Tunbridge Wells

            Also customers tend to have a right old moan if your wiring makes them fizzy.

      2. Joe W Silver badge

        Like with electricity: pick a provider that does not leave you in the dark.

        (sorry)

        The challenge is that nowadays electricity providers are pretty much all very similar. There are way fewer that should be roundin' up cattle (or behave like they would) when compared with IT service providers. The standards for the first are well established. Clearly IT service providers should be certified to a similar level of standards, but many are not and many companies select their IT provider solely on the price. For electricity this works (mostly), nobody is going to install a substandard power line to your house, as there are enforcable rules about that.

      3. Anonymous Coward
        Happy

        "When a firm is dependent on IT it's an IT business"

        Change IT to electricity - does that still work?

        No, because they don't have to reconfigure the fuse box whenever someone plugs a new table lamp in, nor do they have to worry about Russian hackers gaining control of the kettle if they accidentally leave an MCB socket empty.

      4. Loyal Commenter Silver badge

        The difference being that if you're going to put in a ring main, you have to get an electrician in to do it, which helps prevent you from electrocuting yourself.

        If you put all your data into "the cloud", all you need is a means of payment, you don't need to get an IT professional to do it (and many businesses see IT people as an unnecessary expense). This then results in the metaphorical equivalent of standing in a bucket of water while licking a frayed HV cable.

        1. Anonymous Coward
          Anonymous Coward

          The situations with electricans isn't that different to IT providers. There are qualified and unqualified people around willing to do a job. You can do it yourself - all the necessary parts & tools available at B&Q etc . I believe the legal requirement (in UK) is to have the finished work certified by a registered electrician & I dare say there are also people ready to save you the trouble there and give you a nice piece of paper. The building trade was famed for "cowboys" well before IT got going after all.

      5. amanfromMars 1 Silver badge

        An Utter Impossibility ...... Absolute No-No ‽ .

        "When a firm is dependent on IT it's an IT business"

        Change IT to electricity - does that still work? ..... Anonymous Coward

        Whenever electricity is bog standard available practically everywhere with a population hardware and IT is a complex software product for wannabe ruling elite types, it doesn't work at all well.

      6. goldcd

        Sortof - yes

        You've got to get a qualified person in to install it, following sensible rules such as not using bell-wire, joining with sticky-tape or using a nail as a fuse.

        Then maintenance - yearly inspection.

        Then you have to plan for "electricity going wrong".

        Legal physical stuff like ensuring you have sprinklers/extinguishers in the office. Then legal personal stuff, like ensuring you've got people trained to turn off power first when somebody's electrocuted, how to treat them, how to evacuate the office etc.

        I guess my point is that companies using electricity have stricter rules to follow when procuring it and nice recurring line-items on budgets.

        Maybe better term would be "An IT (or electricity) dependent business"

        In this case, it sounds like they procured their external IT services from the equivalent of a "Bloke in the pub that did it on the cheap" - and then they just crossed their fingers that nothing would burst into flames.

        1. Anonymous Coward
          Anonymous Coward

          Re: Sortof - yes

          your home electrical installation was last inspected when?

          Apropos earlier posts:

          And as I understand it, all Part P certification (which was never really made available to skilled "hobbyists") is void at the time you need to sell you property - it gets (re)inspected at the time of listing.

          If you are confident in your own work (and you are allowed to change switches and sockets)...

          The down vote button is on the right

      7. Mage Silver badge
        Coffee/keyboard

        Re: dependent on IT it's an IT business

        Not generally true. But it's partly true for banks. They seem to regard a physical branch as an inconvenience and the local manager is now really a counter operative supervisor. The Branch seems to do little other than accept lodgements. All the activity including electronic lodgements can be done online. The computer automatically disables your Credit Card on some bizarre definition of fraud, not humans.

        They mostly ONLY do IT and do it badly.

        Real IT business provide IT to other businesses. So this is false "dependent on IT it's an IT business".

    2. Anonymous Coward
      Anonymous Coward

      Investment management was a thing in the era of ink and quill pens. If computer hardware and software vanished tomorrow, it would still be a business. They've tried to use IT and someone has effed up on their behalf, that doesn't make them an IT business.

      The idea that a business is an IT business because it uses IT heavily is promoted to puff up normal run of the mill companies as future Amazons, because being a property firm, taxi firm or pharmaceutical company (*) isn't sexy enough.

      * you know who they are

      1. Doctor Syntax Silver badge

        Let's take pharmaceuticals - my daughter works in clinical trials.

        You might think that the end product is a medicine. So it is, but before that hits the prescription pads e-prescriptions there's another product - a huge stack of documentation to be submitted for approval. That documentation isn't collated by sorting through bits of paper, it's put together on computers including laptops of people like my daughter.

        Those laptops are going to contain personal information about the trial patients - subject to GDPR - and including medical history. I'm not familiar with the regulations regarding that but I assume that it is subject to regulation over and above GDPR. The results of the trial will affect the share price so it's going to be subject to financial regulation as well. Beside all that the fact that it's also company commercial in confidence information is almost a minor consideration. As the trials workers are apt to be based where the patients are and not necessarily in head office there's also a need for secure communications with HO.

        Any pharmaceutical business that doesn't think it isn't also an IT business to handle all that with an appropriate degree of securely needs to think again.

        1. Anonymous Coward
          Anonymous Coward

          it's put together on computers including laptops of people like my daughter.

          Those laptops are going to contain personal information about the trial patients - subject to GDPR

          Fully-encrypted laptops, one hopes?

          1. Dante Alighieri Bronze badge

            psuedo anonymisation

            usually participant/registry numbers that can only be unblinded by legitimate access to clinical systems.

            Same issues for medical trainees - logbooks with identifiers only "breakable" with legitimate access to (local) healthcare system - and usually no need to do so!

            Trainee can't find individuals without traceable access to clinical records - nor can trainer (replace with researcher/regulator as necessary)

          2. DiViDeD Silver badge

            Re: Fully-encrypted laptops, one hopes?

            Well, from the actual trials side, far more than encrypted. Generally, a preloaded and locked down laptop supplied by the company, companies or trusts running the trials, loaded with the software required to record the trials, including any peripheral input devices and sensors. These machines are generally so locked down they can be considered black box clinical devices (boot directly into the trials software environment, no desktop, can't even play Solitaire on them, generally no access to the results or patient information). Occasionally they even have GPS tracking devices to record the movements of the laptop (test centre to office is fine - Tracey's apartment for the weekend, results invalidated).

            At least that was the case in Australia a couple of years ago when I was peripherally involved (as an IT consultant - not a trial subject) with an institute doing clinical trials in Sydney.

          3. Michael Wojcik Silver badge

            Fully-encrypted laptops

            You want encryption? Pal, even the keyboards are encrypted on these babies! You won't know what you're typing, that's how encrypted they are. We've encrypted the battery - the remaining charge value is indistinguishable from a random number. Press the power button? Equal chance of turning it off or on. Touch the trackpad and the pointer could go anywhere. Yep, fully encrypted.

        2. Disgusted Of Tunbridge Wells

          By that logic they're also in the "building security" business ( preventing people from breaking in and stealing secrets ).

          As well as being a HR business ( they have staff ). etc. A catering business if they have their own canteen staff.

          1. Stoneshop Silver badge

            preventing people from breaking in and stealing secrets

            They should. But theft and provision of power have been vulnerabilities for a good while longer than this information technology malarkey, so they're more prominent in most people's risk assessments. It's pretty straightforward to figure out what can happen if some miscreant heaves a brick through a ground-floor window or when there's a power cut, and what should be done to minimise that. Much less so when the issue is remote entry and data exfiltration through software vulnerabilities, misconfiguration and phishing. That attack surface is much more varied and opaque, and could well be growing by the day unlike any of the weak points that can be physically attacked.

      2. Paul Hovnanian Silver badge

        On the Internet?

        "Investment management was a thing in the era of ink and quill pens."

        Part of the attraction of Cayman Island corporations is that they should be difficult to examine. Being nothing more than a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.' None of this fancy Internet stuff. And there are those who would pay extra for the level of obfuscation provided by ink and quill pens.

        1. DiViDeD Silver badge

          Re: On the Internet?

          there are those who would pay extra for the level of obfuscation provided by ink and quill pens

          Yes. Isn't it odd that these people are simply looking to protect their privacy by using a legitimate business to keep their financial dealings confidential, while if an ordinary citizen is discovered using Tor, it's "Paedophiles, terrywrists and criminal gangs" all over the front pages

    3. low_resolution_foxxes Silver badge

      These funds generally take a 1-2% cut of their clients funds in fees, so it'll probably have turnover in the $3-9mpa. They can afford an IT manager, he can even polish the Bentley's.

  2. Cederic Silver badge

    "Hi, you've been hacked"

    In fairness I think I'd auto-delete an email telling me I'd been hacked - I get too many of them already, usually telling me that my non-existent webcam has caught me engaging in things I don't do.

    1. lglethal Silver badge
      Trollface

      Re: "Hi, you've been hacked"

      Of course you dont do them. Sure....

      We've all seen the pics Cederic, dont try and deny it. But if you dont want me posting them to Pornhub, please send 100 Bitcoin to the following address....

      1. Cederic Silver badge

        Re: "Hi, you've been hacked"

        For 100 Bitcoin I'll create the pictures and post them myself!

        1. Anonymous Coward
          Anonymous Coward

          Re: "Hi, you've been hacked"

          The the question isn't really about whether you do it or not, but how much you charge?

  3. Doctor Syntax Silver badge

    Oops.

    I wonder how many tax authorities have spotted it.

  4. Potemkine! Silver badge

    Would it be possible to pass all these data to the tax authorities worldwide? Just in case someone used this fund located in a tax heaven to avoid to pay his / her fair share of taxes.

    1. Plest Bronze badge

      Not every investor is a low-life weasel paying 2 quid tax on every 200 million earnings, a lot do pay their share but they have the money to minimise their tax bills. The right school, the right nobby friends and we'd all be doing it!

      1. Michael Wojcik Silver badge

        Not all of us.

  5. amanfromMars 1 Silver badge

    Don't Panic ...... There's Really Nothing to Worry About from Here to Where We're All Going .....

    .... I Kid U Not

    The unnamed fund's incident response consisted of disregarding the initial notification from The Register before asking a staffer with a compsci degree if he thought there was cause for concern. Luckily, that person realised what we were trying to tell them.

    What would you tell them now El Reg with regard to utilisation and exploitation of compsci degree level concerns ......in ACTive Virtual Applications with Monied Investors ....... Cyber Business Angels ......... Absolute Daemons?

    Would you tell not to worry, for there are no problems to boot and repeat/reboot and introduce ....... Present? That would be Helpful and Prescient and probably something Quite Entirely Different ..... Novel and Noble .... and NNobeling? :-) Now there's an Almighty Indulgence questioned for its True Worth and Perceived Value right there, slap bang in the middle of this descriptor paragraph.

    1. m4r35n357

      Re: Don't Panic ......

      My hovercraft is also full of eels.

    2. amanfromMars 1 Silver badge

      Re: Don't Panic ...... There's Really Nothing to Worry About if We're All Going to Die Too:-)

      Would you tell them [sic] not to worry, for there are no problems to boot and repeat/reboot and introduce ....... Present?

      Or, if they be erring and errant humans with sensitive and secretive shenanigans to hide or pray stay undiscovered and still deeply covered, would it be right to tell them to be ready to be absolutely terrified because of the changed and changeable nature of developments in fields of compsci at Masters degree and DPhil level concerns/fervent interest, for there are myriad multiple problems to boot and repeat/reboot and reintroduce which cannot be negated or mitigated by targeted bodies/compromised entities/failed utilities, should certain facilities and information be exercised and released to create mayhem and havoc and conflicts in CHAOS .... Clouds Hosting Advanced Operating Systems ?

      What would be the more truthful option, El Reg/El Regers, based upon the breadth of your own knowledge and on all of the relevant and relative subject matter that you may have read online either here or elsewhere and somewhere foreign and alien and remarkably different to many a being?

      And would/could you honestly believe it to be definitely the latter rather than unlikely the former should it ever be boldly told to you to be so, or would you require a spectacular runaway train like, chain reaction daemonstration which current power and SCADA Administration Systems are disabled and unable to stop?

      If needs must, you can certainly panic now if you like. It is certainly the right time to if ever one was needed with so much to be heeded already so widely universally seeded and free out there. :-) And I'm calling MRDA on that, lest nobody else does. :-)

  6. EnviableOne Silver badge

    Stop calling it cloud

    this gives them non techys a fluffy feeling of something up there that no-one has access to ...

    the reality is more like leaving it in some blokes lockup on an industrial estate

    you wouldnt store anything there without checking the security out....

    1. Peter Galbavy

      Re: Stop calling it cloud

      Except in this case the "lockup" hasn't actually got a padlock on it, so it's more an "unlockup"

      1. EnviableOne Silver badge

        Re: Stop calling it cloud

        ahh, another miss-apprehesion, no mention of padlock, the name is more generic, implying it is a storage space, with the facility to be locked up, much like blobs or buckets ...

        just because it can be locked up does not in any way imply that it has ...

  7. Anonymous Coward
    Happy

    The firm claims to have $500m under management...

    Not any more, I'm guessing.

    1. Yet Another Anonymous coward Silver badge

      Re: The firm claims to have $500m under management...

      I suspect some of their customers are likely to do more than write an unfavourable yelp review.

      Be interesting to follow the Cayman island local news to see how many directors suddenly, accidentally cut their own heads off while shaving.

  8. Blackjack Silver badge

    So... Blobleaks when?

    While I am not sure if the Register gonna do it, someone else is gonna leak all this information eventually became Cayman Islands. More so if they find famous people in the clients list.

  9. TheVogon

    Azure blobs are secure by default so to make one publically accessible takes a special kind of stupid.

    1. Michael Wojcik Silver badge

      Yes, it actually takes some effort to leave an S3 bucket unsecured too.

      If the bit about "their Hong Kong IT provider" is true, then it's time to find a new provider. It should be trivial to provide basic security for a cloud-based backup system, including encrypting the data at rest. This is inexcusable.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021