Another week, another high-profile company storing sensitive data in Amazon Web Services (AWS), with very little or no security protections.
Viacom Inc., a major media conglomerate with brands like MTV, Comedy Central, and Paramount Pictures was found to have stored sensitive information about its IT infrastructure in an Amazon Simple Storage (S3) bucket that was open to the public.
Researchers at UpGuard Inc. discovered the exposure at the end August and made it public on Tuesday. They spent months searching for similar incidents, including those involving the Republican National Committee and Verizon, Dow Jones & Company and the Chicago Election Board.
Viacom’s case showed that the sensitive data did not include private information of individuals, but rather “the master controls” for the company’s IT infrastructure. According to UpGuard’s reports, the exposed data included:
A vast array of internal access credentials, as well as critical data, were exposed in the leak. This could have been used to cause great harm to the business operations of the multinational corporation. The leak exposes a master provisioning server running Puppet that was left open to the public internet. It also contains credentials required to build and maintain Viacom’s servers across many subsidiaries and dozens more brands. The most damaging data is Viacom’s secret clouds keys. This could expose the cloud-based servers of the media conglomerate and put them in the hands hackers.
UpGuard claimed it discovered the data on August 30 and alerted Viacom Aug. 31. Viacom secured its data “within hours of learning about the exposure.”
According to UpGuard, the data was stored in a public accessible S3 bucket under the “mcs_puppet” subdomain. UpGuard determined that “mcs”, which refers to Viacom’s Multiplatform Compute Services unit, had been used to store the data. This unit, based on job descriptions, is responsible for managing, configuring, and monitoring Viacom’s IT systems.
UpGuard stated that the bucket contained “the primary or back-up configuration of Viacom’s IT infrastructure” and the credentials for Viacom’s AWS account.
The bucket also contained files that were linked to Viacom’s Puppet account. Puppet is a provider that automates the provisioning of servers within an organization. According to UpGuard, Viacom could have suffered from the exposure of this information. “Imagine a skeleton key that opens every door in a house. But it could also open every door that could be added.”
Viacom exposed the blueprints of its future IT infrastructure in the public cloud. This would have been a disaster for the company if cybercriminals had found it, according to UpGuard researchers. For example, criminals could have seized control of Viacom’s digital brands and used them to create phishing schemes or set up new servers in the network to run botnets.
Researchers stated that Viacom’s data leak was “remarkably potent” and “of great importance”, reminding users that cloud leaks do not have to be large in size to be catastrophic. “Quality can be just as important as quantity when it comes to data exposures.”
Viacom, for its part, stated that it had reviewed the data and determined that there was no compromise after UpGuard alerted it.
Viacom was made aware that technical information stored on a server, but not customer or employee information, was publically accessible. We rectified the problem. We have analyzed the data.