When it absolutely, positively needs to be leaked overnight: 120k FedEx customer files spill from AWS S3 silo Another day, another unsecured Amazon Web Services S3 storage bucket spilling secrets onto the public internet. This time it's a misconfigured AWS cloud silo belonging to FedEx, which openly exposed an archive of more than 119,000 scanned documents – including passports and drivers licenses – plus customer records including …
Working on IBM Cloud this would be a good time to blame competitor but in fact, the end customer is at fault here. S3 bucket ACL is fully private by default allowing access to bucket owner only (not even other admins on the same account). You need to explicitly change policy to get into mess like this one.
I have been sorting a mess on few customer cases with badly configured buckets.When customers change their buckets open to all they usually don't understand they are doing that, and that is because they aren't generally directly applying the change to the portal or with CLI.
What actually happens is customers start to use Python, Java or Js library in their application to use S3 directly as storage backend. A good example I know would be Django-Storage https://simpleisbetterthancomplex.com/tutorial/2017/08/01/how-to-setup-amazon-s3-in-a-django-project.html these libraries expect you to pass AWS console API keys as env variables and do "required changes on buckets they create..."
As these libs where most parts designed as storage for website static assets like user uploaded public profile pics security has never been much of a design point. Next some dev figures these libs are also pretty handy for storing more sensitive content. I mean once configured with the backend, they are just tag you can use directly in web forms, a security review is not part of CI/CD test suite and the rest is history...
For assurances that the acquired company actually has the goods, and that the goods are well-secured? Is this something one of those big London insurers guarantee for 10 years?
And how does one place a value on a 3 year old passport with lots of other information? Is the value to Bongo or FedEx or to the document owner? How to recompense the actual document holder when her private details are broadcast several years later?
Along with "who owns my genes" that we have monumental issues of ownership and privacy. And these issues aren't something that "my" government (US) wants to take up except to rape our freedoms even more.
Seriously. If this goes without a punishment you can see from orbit, what is the point anymore.
To keep things simple, maybe there should be an International Treaty of Finey McFineyface.
By law, every identity database must have his identity. Any entity found anywhere with an accessible part of this screamingly searchable identity will be automatically fined no questions asked, with the fine exponentially increasing with each occurrence.
I blame the suits.
I don't. How often does anyone in a suit go near the data?
This is what happens when you let developers think they can do DevOps without actually knowing anything about Ops. The mindset is "I'll just stick this data up here in the cloud, oh, I can't get to it from the office, I'll just turn off all the security".
I would bet you all my pay that there's been no sysadmin involved in the process.
"I suggest we expand GDPR. Expand the scope to the whole world"
If the operation covers any EU residents it will be within scope. For those of you who are non-EU residents dealing with non-EU businesses, you need a regulatory system that will look after you better. At least even the Brexit-minded HMG has to put it into UK law so it will apply even when we're outside the EU.
AWS scan the bit buckets and mail the owners asking for positive confirmation that the bucket should be public.
Without a positive response the bucket is locked down until the owner confirms in writing that it should be public.
That should at least clear all the forgotten ones, and may even make some people think before they click on the prompt to open the whole thing up to the world.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
