Private information of roughly 1.3 million people was leaked to the public involving their personal data and contact information when a Walmart jewelry partner(Limogés Jewelry) that has links with Amazon Simple Storage Service was infiltrated.
The Kromtech Security firm revealed the news on the data leak of 1.3 million people
A small lapse in security judgement and misconfiguring the (Amazon Web Service)AWS S3 bucket by the Walmart jewelry partners left personal details and contact information of 1.3 million customers in plain sight.
The Simple Storage Service repository also contained an MSSQL database backup belonging to the MBM Company, a Chicago, Illinois-based jewelry company that is known for operating under the name Limogés Jewelry.
Kromtech Security discovered the publicly available bucket which mainly contained personal information, including names, addresses, zip codes, phone numbers, e-mail and IP addresses, encrypted credit card details, other payment details, and Amazon promo codes of over a million people living throughout the North American region(the US and Canada).
According to Kromtech Security’s report:
“The negligence of leaving a storage bucket open to the public after the publication of so many other vulnerable Amazon s3 buckets is simple ignorance. Furthermore, to store an unprotected database file containing sensitive customer data in it anywhere directly online is astonishing, and it is completely unfathomable that any company store passwords in plain text instead of encrypting them,”
The Kromtech’s Security Team head of communications Bob Diachenko also stated the following on the origin of the data leak:
“At first glance, the data appeared to belong to Walmart as the storage bucket was named ‘walmartsql,’ However, upon further investigation by Kromtech, researchers discovered that the MSSQL database backup actually belonged to MBM Company.”
Bob Diachenko also revealed with the following statement the motives behind the data leak was still unclear, and there was no way to know who was the intended target. He also acknowledged that there was no evidence of a malicious party having any sort of access to the open bucket as there were no ransom notes, unlike the previous occurrence of such kind.
Despite the statement, this fact was too good to be accurate as there certainly could have been some sort of tinkering with the data and somebody could have accessed it without leaving any trace.
“Upon analyzing the content of the bucket, we’ve come to the conclusion that [these] were all MBM customers. However, it is unknown whether they’ve been accessing MBM inventory via Walmart platform (or other partner sites) or directly via Limogés Jewelry site.”
The data leak contained records of companies other than MBM
The data breach was said to be a backup file of the MBM company which was under the following filename:
It helped in identifying the users and customers whose private info got invaded or leaked to the public without their consent. There was much more to the story as it was not just individual customers who felt betrayed as the database suggested to contain traces of records for many other retailers other than MBM’s partner Walmart, including shipping companies like HSN, Amazon, Overstock, Sears, Kmart, and Target. The report put forward the following statement:
“It also contained internal MBM mailing lists, encrypted credit card details, payment details, promo codes, and item orders, which gives the appearance that this is the main customer database for MBM Company Inc. Records were seen with dates ranging from 2000 to early 2018.”
Kromtech notified Walmart of the open bucket involving user data
The Kromtech security firm also said that its researchers immediately told Walmart of the public Amazon S3 bucket upon discovery. Walmart responded by securing the storage bucket but did not give out a response on the data leak related to the MBM Company, leaving their relationship with them hanging by a thread, even after they were approached repeatedly to give out a statement.
This is not the first data breach concerning Amazon’s Simple Storage Service bucket
The recent open data leak related to MBM company and Amazon S3 put the spotlight on the service’s previous mishandling of data and being misconfigured by owners that were comprehensively covered.
Before that, an invalidly configured Amazon S3 bucket managed by Paris marketing firm “Octoly” left contact information and personal details for more than 12,000 individuals mainly social media influencers and celebrities to the public that could have been a disaster if it had gotten into the wrong hands.
A year before that in July 2017, close to 14 million people and clients were the victims of a similar mishandling as their information got leaked by an unnamed third-party partner, which involved the personal info of all of those clients including their phone numbers. The data leaked was from the database of the U.S.-based telecom company named Verizon.
Companies need to be more careful in handling their clients’ information – Final Thoughts
People hand out their personal information to companies like Amazon and Walmart due to the trust they have had placed on them over the years, which is challenging to gain once it is betrayed. There are plenty of credit cards that offer fraud prevention measures, but if the merchant accepting the card has been breached (or breached before) then sometimes those measures aren't enough.
The users still seem to remain loyal to the services provided by such companies despite the lack of acknowledgement and the fact that incident like the one we mentioned in this article happening before. Such organizations need to put basic safeguard routines in place in order to stop data leaks like that from occurring ever again.