Dow Jones Data Exposed on Public Server'Authorized Third Party' Responsible for Leak, Company Says
An "authorized third party" exposed a Dow Jones database with more than 2.4 million records of risky businesses and individuals on a public server without password protection. The data exposure incident points to the importance of proper vendor risk management, security experts say.
See Also: Dynamic Detection for Dynamic Threats
Bob Diachenko, an independent security researcher, discovered that an Amazon Web Services-hosted Elasticsearch database exposed the records, TechCrunch first reported. The exposed data, which has since been secured, is Dow Jones' Watchlist database, which companies use as part of their risk and compliance efforts.
Dow Jones says in a statement that "an authorized third party" was to blame for the exposure, but it did not name the company. Dow Jones declined to provide further details on the incident.
Security researchers say the incident highlights the need for adequate vendor risk management. A recent Verizon report found that one of every two data breaches stems from third-party risks.
Too many organizations focus on protecting their own IT infrastructure, ignoring the security of data handed over to a third party, security experts say. "This becomes a major issue because you are as vulnerable as your vendor managing your data," says Edwin Lim, director of professional services - APJ, at Trustwave, a Singtel company.
To mitigate such risks, experts suggest classifying vendors in terms of risk exposure, interacting with key vendors regularly and maintaining clear vendor policies.
An ElasticSearch server containing Dow Jones data apparently was left exposed on the internet without a password for almost two weeks, says Prakash Kumar Ranjan, an India-based security practitioner who works at a financial firm. "The leaky server was spotted by Diachenko, during a regular security audit of unsecured servers indexed by the Shodan search engine. It was leaking over 73GB of data, and several databases were cached inside the server's memory," Ranjan says.
Diachenko wrote in a blog that the data was "indexed, tagged and searchable." TechCrunch reports that the data exposed on the server included current and past elected officials, sanctioned people and companies, individuals with terrorism links, "special interest persons" and those convicted of financial crimes.
The data included names, addresses, locations, dates of birth, physical descriptions, primary languages, relatives, genders and photos, along with detailed notes on each person or company, TechCrunch reports. All the data was collected from public sources, Dow Jones says. It is not known yet whether anyone other than Diachenko accessed the data.
This isn't the first time Dow Jones has been involved in a major data leak. Two years ago, Dow Jones acknowledged that a similar cloud storage misconfiguration exposed the names and contact information of 2.2 million customers (see: Hole in the Cloud Service Bucket: Dow Jones Data Exposed)
Risk Management Challenges
Third-party vendor risk management has never been easy because it's difficult to mandate security controls for vendors. Experts say that companies find it challenging to gain a clear understanding of the way security is managed by vendors in their supply chain.
"With companies outsourcing their work, including IT, there is a massive change in risk paradigm," says Sunil Chandiramani, founder NYKA Advisory Services, an India-based management consulting firm. "Previously, you might have been connected through hard copies. Today, we have vendors working on your systems as admins. They have visibility of your production plan.
Sachin Kawalkar, vice president at J.P. Morgan in India, notes: "Keeping a check on all vendors requires discipline, which is easier said than done, but nevertheless a crucial thing."
A number of financial institutions, including American Express, Bank of America, JPMorgan Chase and Wells Fargo, have formed an industry consortium to work toward transforming third-party risk management.
Kawalkar suggests that companies rate vendors that have access to their data based on the level of risks involved.
"High-risk vendors needs to be assessed more frequently," Chandiramani says. "Rather than just sending across questionnaires ... annually, it is important to have a better understanding of how well the security controls perform." This includes asking vendors for regular threat intel reports, having internal audit teams visit vendors as well as updating vendor policy agreements on a regular basis, Chandiramani says.
When entering a contract with a new vendor, Chandiramani says, "it is vital to make vendors understand your security expectations and standards. If any noncompliance is there, companies must communicate to vendors and make sure that due process is implemented within a certain time period."