Breaches Caused by Cloud Misconfigurations on the Rise

Yesterday, DivvyCloud, a leading provider of security and compliance automation for cloud and container environments, released its 2020 Cloud Misconfigurations Report. Today, the most circulated security news story is about the personal data of more than 10 million people exposed in a breach of MGM’s cloud servers.

The MGM hack happened last summer, but as these things go, it took some time before it became widely known. “Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts,” MGM told ZDNet, who initially reported this incident.

The DivvyCloud 2020 Cloud Misconfigurations Report substantiates the growing trend of data breaches caused by cloud misconfigurations and quantifies their impact on companies and consumers around the world. DivvyCloud research found that nearly 33.4 billion records were exposed in breaches due to cloud misconfigurations in 2018 and 2019, amounting to nearly $5 trillion in costs to enterprises globally.

While it was MGM’s cloud server that was breached, the specifics of how it may have been misconfigured or any other details, other than someone gained unauthorized access, have not been released at this point. 

Compared to the 2017 Marriott Hotels breach, the MGM hack is small. The Marriott Hotels incident yielded personal data for hundreds of millions of users. And yet, this latest breach is indicative of an increase in cloud server incidents. DivvyCloud reported that “Year over year from 2018 to 2019, the number of records exposed by cloud misconfigurations rose by 80%, as did the total cost to companies associated with those lost records. Unfortunately, experts expect this upward trend to persist, as companies continue to adopt cloud services rapidly but fail to implement proper cloud security measures.”

USA TODAY reporting about the MGM attack said, “Victims appear to include celebrities, government officials and prominent CEOs and tech company employees, among other guests. Justin Bieber and Twitter CEO Jack Dorsey were among the names reported. Twitter representative Giovanna Falbo declined to comment on Dorsey’s behalf.”

Tom Garrubba, CISO, Shared Assessments commented that “What is notable about this event is the caliber of the affected clientele. The published list of affected customers ranges from pop music figures to tech industry executives, along with employees representing various government agencies from across the globe. This breach also appeared to have “flown under the radar” in security and privacy breach circles.

“Despite MGM’s quickly notifying hotel guests impacted by the breach in accordance with applicable state laws, it’s a clear concern that many of the contact details were still valid, particularly the phone numbers. If an affected customer did not take appropriate measures to change their contact information (i.e., new email addresses or phone numbers), their exposure is dramatically increased, along with their odds of receiving spear-phishing emails and SIM swapping attacks.

“As this breach shows, it doesn’t matter if you have a song on the pop charts or you set strategy for one of the various government agencies. Post-breach, any affected user needs to take steps on their own to ensure their data safety, such as changing or modifying basic contact information or replacing existing accounts.”

Key findings of DivvyCloud’s 2020 Cloud Misconfiguration Report include:

● 81 breaches in 2018; 115 in 2019—a 42% increase

● Tech companies had the most data breaches at 41%, followed by healthcare at 20%, and government at 10%; hospitality, finance, retail, education, and business services all came in at under 10% each

● 68% of the affected companies were founded prior to 2010, while only 6.6% were founded in 2015 or later

● 73 (nearly 42%) of known affected companies experienced a merger or acquisition (M&A) transaction between 2015 and 2019, which indicates cloud security is an area of risk for companies involved in merging disparate IT environments

● Elasticsearch misconfigurations accounted for 20% of all breaches, but these incidents accounted for 44% of all records exposed

● The number of breaches caused by Elasticsearch misconfigurations nearly tripled from 2018 to 2019

● S3 bucket misconfigurations accounted for 16% of all breaches, however, there were 45% fewer misconfigured S3 servers in 2019 compared to 2018

● MongoDB misconfigurations accounted for 12% of all incidents, and the number of misconfigured MongoDB instances nearly doubled YoY

For additional findings and analysis, download DivvyCloud’s full 2020 Cloud Misconfigurations Report here

DivvyCloud maintains that “To avoid cloud misconfigurations, companies need to immediately shift toward a new model of security that provides continuous controls and enforces secure configurations of cloud services, instead of attempting to do so weeks, months, or years later. This shift should not be viewed as a one-time event; rather, it should be monitored and enforced constantly and in perpetuity, as the dynamic, software-defined nature of the cloud leads to frequent changes.”

Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Instagram, and LinkedIn.