ABC recently carried a story which is becoming all too common. Amazon S3 data left open to the public with sensitive customer information exposed, in this instance, front and back scans of NSW drivers licenses and tolling notices. You don’t need too much imagination to see how harmful this information could be in the wrong hands, and you can be pretty confident that is now in those hands.
It seems as though the leak is down to a private business (one would assume a toll road operator?) who is likely now liable to see some pretty serious damages claims. I’m no lawyer, but surely the potential costs of the identity theft and fraud against these 10s of thousands of impacted people is not something any business would want to deal with. While they may have insurance coverage, this seems equivalent to insuring your valuables, storing them in a paddock next to the road and then trying to submit a claim. Would you want to be that business?
Amazon and other cloud services are a fantastically useful resource which can allow your IT infrastructure to scale out as required in ways that would be prohibitively expensive if you owned the actual hardware, but they share the same issues as any complex and powerful tool in that any misconfiguration can be catastrophic
It seems pretty obvious that many businesses are using this infrastructure without adequate security auditing, and will have to start being held accountable. Don’t be that business. Even seemingly minor customer information that you hold could be the final small piece that a malicious actor requires to complete their profile of one of your customers and financially ruin them. Security needs to be a larger line item moving forward for business big and small.
- Try to not use different types of identification for different services. The fewer types of ID you have out there, the easier to clean up after a breach. Also, you should have certain things in reserve, never shared, such as passport or birth certificate.
- If possible, don’t share these electronically. If you can go into a physical office and have them scanned and the copy is just popped into a filing cabinet then that should be preferred.
- Always use the absolute minimum required.
- Hold up your end. Identity theft is about pulling together as many pieces of information as possible, and if you are using weak passwords and other poor security practices then you make it easier to gather.
- Sharing information that is commonly used for security questions on social media. For example, if you call your bank and tell them you have forgotten your password they will ask for things like your date of birth. Is this publicly available on Facebook? Many sites will ask you to set ‘security’ questions from a list of limited options like -where did you go to school? -what street did you live on? -what was your pets name? etc.. Again, if these are your options, you want to make sure that someone can’t just look them up.
- Even if this information is not ‘public’ then if you are using weak passwords and no two factor then it may as well be!
I’ll add any good ideas anyone is willing to propose here in future, this is just a quick off the top of the head response to an article I happened to read this morning.