Updated on November 28, 2017 by Dan O'Sullivan
The UpGuard Cyber Risk Team can now report that a cloud-based file repository owned by financial publishing firm Dow Jones & Company, that had been configured to allow semi-public access exposed the sensitive personal and financial details of millions of the company’s customers. While Dow Jones has confirmed that at least 2.2 million customers were affected, UpGuard calculations put the number closer to 4 million accounts.
The exposed data includes the names, addresses, account information, email addresses, and last four digits of credit card numbers of millions of subscribers to Dow Jones publications like The Wall Street Journal and Barron's. Also exposed in the cloud leak were the details of 1.6 million entries in a suite of databases known as Dow Jones Risk and Compliance, a set of subscription-only corporate intelligence programs used largely by financial institutions for compliance with anti-money laundering regulations.
The UpGuard Cyber Risk Team is a unit devoted to discovering data exposures where they exist, aiding in securing sensitive information against possible exploitation, and raising public awareness about the issues of cyber risk driving data insecurity across the digital landscape.
The exposed data repository, an Amazon Web Services S3 bucket, had been configured via permission settings to allow any AWS “Authenticated Users” to download the data via the repository’s URL. Per Amazon’s own definition, an “authenticated user” is “any user that has an Amazon AWS account,” a base that already numbers over a million users; registration for such an account is free.
The revelation of this cloud leak speaks to the sustained danger of process error as a cause of data insecurity, with improper security settings allowing the leakage of the sensitive information of millions of Dow Jones customers. The data exposed in this cloud leak could be exploited by malicious actors employing a number of attack vectors already known to have been successful in the past. Finally, the aversion of Dow Jones and Company to notifying affected customers of this data exposure denies consumers the ability to swiftly act to protect their own personal information.
On the evening of May 30th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered an Amazon S3 cloud-based data repository accessible to AWS authenticated users under the subdomain “dj-skynet.” While the title and contents of the repository indicate the data to have originated from within Dow Jones—as later confirmed by Dow Jones & Company’s Chief Information Security Officer —”Skynet” appears to be a reference to the doomsday computer system in “Terminator 2: Judgment Day.”
On June 1st, Vickery began downloading the contents of the repository, which was secured on June 6th. Contained within the “dj-skynet” repository were several dozen directories, among them, folders containing the phrases “build_assets,” “development,” “customerlogin,” and “cust_subscription.” Clicking into the folder containing this last phrase presented four compressed Apache Avro files totaling 771 MB in size; the smallest of these files, at 89 MB, clocks in at 2 GB when decompressed.
The contents of the “table=ics_cust_subscription” folder.
Once decompressed, these files are revealed to be four large text logs composed entirely of Dow Jones customer data, prepared in a format that could easily be fed into a database for internal record-keeping. Among the fields populated with data throughout the text files are customer names, internal Dow Jones customer IDs, home and business addresses, and account details, such as the promotional offer under which a customer signed up for a subscription. Perhaps most critical was the inclusion of the last four digits of customer credit cards in the files, as well as customer email addresses also used to login to their accounts online. A small percentage of customers also had their phone numbers exposed in the files.
Dow Jones & Company has confirmed that 2.2 million customers were exposed in this manner. However, per analysis of the size and composition of the repository, UpGuard conservatively estimates that the number may be as high as four million, though duplicated subscriptions may account for some of the difference.
Also stored in the main repository is a folder titled “rnc_watchlist.” While the Dow Jones Risk and Compliance Watchlist was also the name of a previously offered product, this folder title may reference data of more recent and ongoing relevance to Dow Jones’s suite of anti-corruption databases. These products, sold under Dow Jones’s Risk and Compliance brand, are advertised as “[helping] companies evaluate third party risks faster and with more confidence” by providing users with “research tools and outsourced services for on-boarding, vetting and investigation to help companies comply with anti-money laundering, anti-bribery, corruption and economic sanctions regulation in mitigating third party risk.”
Within this folder are 21 schema files, explaining various field names for the data set, as well as a .csv title also named djrc_ac_csv_201603312359_f. This .csv file lists 1.6 million rows of people or entities, along with any associated aliases, organizations, and businesses, as well as the subject’s background and personal history.
Several of the fields in the apparent Risk and Compliance data set.
The list includes a great many financial industry personnel located around the world, as well as many more well-known parties of ill-repute; reproduced below is the entry for deceased Libyan leader Muammar Gaddafi.
Muammar Gaddafi’s apparent entry in the Risk and Compliance .csv file.
This set of 1.6 million suspicious persons or entities bears a great similarity to Dow Jones’s public descriptions of the contents of Risk and Compliance research tools like RiskReports and RiskCenter, platforms that provide subscribers with information on potentially questionable characters and organizations best avoided in the financial world.
This cloud leak raises several critical issues of cyber risk bearing wider significance across the digital landscape of 2017. The configuration of cloud-based storage by enterprises to allow public or semi-public access is by now an all-too-common story, a move that needlessly exposes sensitive customer data to the risk of exploitation. The threat of such misuse is all too real, and indeed, has grown endemic, with a burgeoning cyber underworld in which malicious actors are able to swiftly take advantage of such user lapses for their own benefit.
While UpGuard has no knowledge positively or negatively as to whether any such malicious actors may have accessed the exposed Dow Jones repository prior to its closure, the incident is instructive in showing how cyber criminals could have done so. Customer names, addresses, email addresses, and the smaller amount of phone numbers would be of use to any spammers or digital marketers, but could also be used to far more malign effect.
The spectre of phishing, in which malicious actors pose as an authority acting in some official capacity to convince users to supply their sensitive personal details, is by now a well-known tactic. With a list of four million subscribers to Dow Jones publications, it is not hard to see how malicious actors could deploy phishing messages against exposed customers. Sending official-looking emails purporting to be from The Wall Street Journal notifying customers their subscription had lapsed, or that their accounts had been compromised, malicious actors could have succeeded in convincing such high-value targets to supply credit card information, login credentials, or more.
While it is a relief that only the last four digits of customer credit cards were exposed in the breach, even this data could potentially be used to damaging effect. A vulnerability discovered in 2015 allowed anyone in possession of the last 4 digits of a Chase or Bank of America CC number to, in combination with the victim’s phone number, gain control of the account.
Finally, of great concern is the response of Dow Jones & Company’s leadership. While few enterprises would enjoy notifying customers of such an event, it is of the utmost importance to enable consumers to secure their data and impede the ability of any malicious actors to take advantage of the exposure. To not do so is counterproductive, as seen in the recent case of UK-based insurer The AA, which in April 2017 denied the existence of a publicly accessible server, only to see this proven false in July with the revelation that over 100,000 customers had had their financial details exposed.
As illustrated in this cloud leak, and by Dow Jones’s sluggish response, the risky handling of customer data is not a behavior exclusive merely to low-rent firms, but can occur in the operations of esteemed, well-known organizations occupying the upper echelons of the financial world. In short, the problem of cyber risk is pervasive; its consequences are felt everywhere from the boiler room to the boardroom. Enterprises must start regaining control over their IT systems to ensure easily preventable mistakes are caught quickly, or face a costly digital backlash.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.