P2023-ND-013

The Organization operates a number of online storefronts. In the course of its operations, they obtain certain services from Amazon Web Services (AWS). On February 8, 2023, the Organization “received feedback from an anonymous caller about a data file allegedly containing … customer records leaked on a … breach forum.” The Organization investigated; they assessed the records to be “highly similar to a CRM-exported data file with customer records stored on AWS S3.” The Organization initially reported that the incident is the result of an insider threat or a “misconfiguration” of their AWS S3 environment, enabling the “enumeration … and subsequent exfiltration” of data. On March 7, 2023, the Organization clarified “the likeliest scenario is that the address of the AWS S3 object associated to the [data] … was inadvertently exposed to the internet” between “September 14, 2020 … and February 5, 2023.” “A precise date cannot be determined because there is limited logging capability within the Organization’s test environment, as is characteristic of such non-production environments.” The data file “was made available on the breach forums on February 5, 2023” and “is still available” as of March 7, 2023.

File Type: pdf
File Size: 200 KB
Categories: 2023