It seems like we are seeing this again and again – a vendor sets up some Amazon storage and sticks some data in it. Sometimes the vendor forgets about it or the employee responsible for it leaves and the data is basically orphaned.
In this case the data was new, so it was not orphaned. The company, MBM, is a vendor to Walmart and sells jewelry on Walmart’s web site and probably in stores also.
The data was a database (SQL) in a bucket named WalmartSQL and named MBMWEB_backup_2018_01_13_003008_2864410.bak .
In the names we see the strings Walmart, MBM and the date, Jan 13, 2018.
The backup is not encrypted, although the credit card data inside the backup, but only that data, is encrypted.
One of the reasons these breaches are so disappointing is that they could be easily avoided.
Here are some things that you should do to mitigate this risk:
- Inventory your data. Whether the data lives on a server in your office, a removable hard drive in someone’s briefcase, a cloud storage vendor like Dropbox or Amazon or a Software as a Service vendor such as Salesforce.com . You MUST know where your data lives.
- Assign a person to be responsible for this spreadsheet or database. This is far from a full time activity, but it is an activity that will never end.
- Create a policy that requires employees to notify the data manager any time a new vendor is added, a new data repository is created or data is moved from one location to another (like from a local server to an Amazon server).
- Ensure that data is encrypted if at all possible, especially if the data is stored on portable media or in the cloud. If this data had been encrypted, no one would be talking about MBM or Walmart.
- Create a policy and associated procedures that documents the rules for who has access to the data, how the access is granted AND REMOVED, and how access to the data is logged.
- Create a process to alert when these data access rules seem to be violated – whether by a hacker or an insider.
- Periodically audit the access rules.
- Run periodic tests to ensure that the system is enforcing the rules. If you automate the testing, the tests could be run every day or every hour.
- Finally, if there is a vendor involved, make sure the contract specifies who is responsible for implementing security, testing security, auditing security and liable in case of failure.
Information for this post came from SC Magazine.