14 DAY TRIAL // Cybersecurity experts at WizCase discovered a large-scale data breach affecting Reindeer, a collaborator of Tiffany & Co, Patrón Tequila, and other companies, according to E Hacking News.
The organization, led by Ata Hakçil, discovered that the breach exposed personal information such as names, dates of birth, email addresses, phone numbers, and physical addresses. Cybersecurity experts believe a S3 bucket with a false configuration that belonged to Reindeer was compromised.
Valtix CEO Douglas Murray, said of the incident, "The leaked data dates from May 2007-February 2012. The public cloud brings a whole host of new issues to which organizations are still adapting. The case of the Reindeer breach raises serious questions about the shared responsibility model and certainly highlights the need for a layered defense. When it comes to PaaS services, like S3, organizations must implement network-based access controls and apply security policies to protect against sensitive data exfiltration,"
With approximately 50,000 files and a total of 32 GB of information exposed, Reindeer was forced to cease operations. This means that researchers had to turn to Amazon for details about the breach, as it was the only source that could provide more details on the matter. In addition to contacting Amazon, the team also notified US-Cert in hopes of contacting the company's former owner, but their attempts were unsuccessful.
An incorrectly configured S3 data bucket believed to be the source of the leak
The poorly constructed S3 bucket contained data from about 300,000 Reindeer customers. Patrón was the company with the most publicly exposed customer data, but other Reindeer customers, such as the British clothing company Jack Wills, were also affected.
Configuring permission/access flaws in cloud-based deployments seems to be a trivial procedure nowadays, as the evidence shows. Organizations that want to use cloud-based platforms should keep an eye out for security breaches and notify anyone of any suspected vulnerability in the cloud infrastructure. This should be done in conjunction with a secure cloud-based system.
The stolen information includes the IDs of 3,600,009 customers and photos of 1400 customers. According to experts, as many as 35 countries were affected by the breach, with the United States, Canada, and United Kingdom accounting for nearly 280,000 people.