Nowadays, much information is collected and stored on web services. People give their information to the companies willingly, while others require such info to produce certain services. They hold it in the clouds or web servers. However, what if they stop managing these storages, for instance, in the case of bankruptcy? Would users suffer? The answer is yes, likely. The S3 bucket data leak case shows what can happen. In this post, we will examine this leak and raise the topic of data regulation.
What Happens to Data When A Company Goes Bankrupt
The example of a misconfigured AWS S3 bucket, its exposed data raises a significant cybersecurity matter of what happens to the sensitive data when it is no longer managed. To be more specific, a researcher discovered an S3 bucket, misconfigured data storage, with 80,000 files out there. It is a case showing how bad the data leak was. The files that were out there are very, very highly sensitive government identifications and biometric information. They include ID cards, driver’s licenses, 10 and 10,000 fingerprint scans. In this regard, the driver’s license alone can have, uh, you know, multiple pieces of private information, your license number, full name, birth date.
Besides, there are also other types of data referring to the identity of the people. If we are talking about the government’s data, it relates to home addresses, gender, hair, color, eye, color, height, weight, taken photographs, which is a clear profile picture.
The particular data breach is indicative of how a leak can lead to irreversible harm to identity. In addition to ID data, the specific base has 10,000 fingerprint scans. Now that is the downside of biometrics. The issue is when you’re using anything with biometrics, the unfortunate aspect of that is if those are breached, or those are lost, then the proper mentality is that they are breached. They can never, ever be used again. You’ve got one shot to keep it protected, especially fingerprints. You can’t change your fingerprints. You could like if you lose your certificates, you lose your keys. You can replace those. You, you, you get your account compromised, you can change your passwords, re uh, reset up your multi-factor do other things, but your biometrics, it’s a unique, single attribute about you. And if it gets lost, it gets stolen.
It gets out in public. You can never use it again in the future because you have no idea where it is. That’s the downside of it.
Reasons Behind The Breach
Notably, the S3 bucket was, as it turned out, owned by the company that was closed. They didn’t appear to exist anymore. They shuttered the content, the contact email was invalid, and the websites were all offline. However, that’s where Amazon Web Services come in because they’re cheap, they’re free. They’re probably just continuing to be charged up, but a few dollars a month just sitting there, not doing anything, if anything. In this regard, after Amazon found out, they closed the issue.
Nevertheless, the question is how long that S3 bucket was open. How many other people had it? This data looked like it was going back to as early as 2012, between 2012 and 2015, it was discovered in October of 2020. Consequently, it is eight years of potentially misconfigured access. Within cybersecurity, it is a blatant event.
Bankruptcy of Companies: Unmanaged Data
Interestingly, that raises a good issue: is that when you have business with a company, and then that company goes bankrupt, there is a danger for your affairs. In the case of S3 bucket, it looks like they just closed the business, got up, and walked away. Nevertheless, how the owners should shutter the company from a data security standpoint? What happens to your data? Unfortunately, there really is no process or law or regulatory requirement.
Yes, you can go and chase down the liability aspects to it, but the way the laws are set up, the liability goes after the organization or the business or the LLC, not necessarily to an individual; that company no longer employs the individuals.
So it’s, it’s a legal, a gray area that is just kind of an entity. And then the entities assets in the bankruptcy courts within the pay for any type of compensation or liability payments, which is going to be near zero. But it doesn’t matter if your data’s out there anyway.
And that’s the risk that one runs when dealing with all of these different types of companies asking for highly sensitive data. They’re responsible for storing it and keeping it secure, but what if they get up and walk, just get up and walk away.
So the main questions for a bankrupt company having sensitive data are:
- Do they have a process to wipe all the servers?
- If they sell the assets, are they wiping the, are they wiping the servers before they sell the assets or just putting them out there on Craigslist or eBay or auction block or whatever.
- What is the process with that?
- Are the owners going and wiping the systems, or are they now in control of that data?
So that raises a whole bunch of different questions and topics that hopefully none of you run into both from an employment or an organization standpoint, but also the customer standpoint. That’s the other downside risk that we have in this decentralized data use. There is no good centralized process that people request access to highly sensitive data like a driver’s license number. There should be no reason that individual companies should be scanning driver’s license numbers.
Necessity of process to prevent such data leaks
There should be a process in place that one goes and requests to validate it from a central location. However, one never stores that data, looks at that data, or has to have to be in control of it. Thousands of companies might have this process as they share it around, and then they’re all responsible for it. So that risk goes up.
It’s no wonder that we have identity theft and fraud all over the place. It’s not necessarily because of the individual companies, but it’s an overlying problem with our system and how we access, need and use and shared data. There is no one-stop-shop to go and request it rather than having to provide it by the individual. The company goes bankrupt. And the server sits out there for who knows when with no one to be held accountable.
And that’s just the danger of it. For sure, there are more others like it out there. There are more others like that out there. They’re more situations that might be coming, but again, you are trusting the company to do the best, but in cases and they go bankrupt, or for whatever reason, they just may not care anymore. And then just get up and walk away. And all of that data, the sensitive data out there, is just there, on the information superhighway that anybody can access if it’s publicly accessible. No one is held accountable for it, but yet everyone else then becomes a victim.
Data collected by now-bankrupt companies is just another thing to think about as you provide your data to them, whether it works, business, or personal matters. What if you or them go out of business? What happens to your data? And just another thing to worry about in the cybersecurity industry. It’s a great industry to keep you up at night with more things, to worry about security.