TD Bank, Ford files found online in cloud data exposure
Attunity Ltd., a company that manages and safeguards data, left internal files exposed on the internet for clients including the Toronto-Dominion Bank and Ford Motor Co., in the latest example of sensitive information being publicly accessible on the web.
The incident revealed passwords and network information about Attunity as well as emails and technology designs from some of its high-profile customers. Researchers at UpGuard Inc., a cybersecurity company, found more than a terabyte of data left unsecured by Attunity last month on Amazon Web Services cloud-computer servers, according to a report they published Thursday.
Attunity is a data custodian that helps integrate clients’ information stored in various places so it can be analyzed easily. The company, based in Kfar Saba, Israel, is an “Advanced Technology Partner” of Amazon.com Inc.’s cloud division. Yet Attunity didn’t configure its cloud storage so it was locked to the public and left all of the data visible in plain text, UpGuard said. The failure is similar to an incident Bloomberg News reported in April when digital platform Cultura Colectiva openly stored 540 million records on Facebook Inc. users in Amazon’s cloud.
Attunity’s data buckets included files about Ford’s information-technology architecture and details on internal project plans. Documents attributed to TD Bank included invoices, agreements between the companies, and files about the type of technology solution Attunity was configuring for the bank. There was also log-in information for a database Attunity created when it was trying to sign Netflix Inc. as a client in 2015. Netflix downloaded a demo of an Attunity tool that could have helped the streaming company switch databases, but never became a customer, according to a Netflix spokeswoman.
The centrepiece was a large collection of Attunity files including administrative and employee passwords to various systems, extensive employee email backups, a roadmap to the company’s virtual network and personal information about Attunity’s employees. The widespread presence of login credentials swelled the potential harm of the data leak, according to UpGuard.
“It’s a category of data breach we refer to as a keys-to-the-kingdom exposure,” said Chris Vickery, director of cyber-risk research at UpGuard.
So far, UpGuard said it had no evidence that any bad actors took advantage of the information when it was accessible online. Attunity removed public access to the buckets the day after UpGuard informed the company about the breach in May, but it took several weeks before Attunity asked the cybersecurity company more detailed questions about the data exposure, according to Vickery.
Attunity said current evidence indicated UpGuard was the only entity that accessed the data.
“We are still in the process of conducting a thorough investigation into the issue and have engaged outside security firms to conduct independent security evaluations,” Derek Lyons, a spokesman for Attunity’s parent company, Qlik Technologies Inc., said in a statement. “Attunity customers deploy and operate the software directly in their own environments, and therefore Attunity doesn’t store or host sensitive customer data. Upon becoming aware of the issue, Qlik applied its security standards and best practices to the Attunity environments, including monitoring by Qlik’s 24x7 security operations center. We take this matter seriously and are committed to concluding this investigation as soon as possible.”
TD Bank said it was also trying to assess the impact of the data exposure in a timely manner.
“We are currently investigating this matter and, thus far, we have found no evidence that our customers’ personal and financial information was exposed,” said Matthew Doherty, a spokesman for the bank. “We also have safeguards in place that are designed to help deter unauthorized access and use of our customers’ personal and financial information.”
Ford said it was never notified about a data exposure. “We know the kind of information we provide to companies like Attunity, and we don’t believe there’s an issue,” said Monique Brentley, a spokeswoman for the carmaker.
Netflix said Attunity never had access to the company’s technology systems.
Attunity is relatively small, posting sales of US$86.2 million for the year that ended Dec. 31, but it has a collection of big-name clients, such as drugmaker Pfizer Inc., Mercedes-Benz USA and Union Bank. In total, 44 members of the Fortune 100 and more than 2,000 organizations around the world use Attunity’s services, the company says on its website.
The data-migration company partners with many IT companies, including Microsoft Corp., Alphabet Inc.’s Google Cloud, Oracle Corp., and International Business Machines Corp., according to its website. Attunity had been publicly traded until May, when Qlik bought the company for about US$560 million. Radnor, Penn.based Qlik, a data-analytics company, is owned by private equity firm Thoma Bravo LLC.
“It’s embarrassing for a company marketing services by saying we’ll help you use the cloud properly to make a mistake when they’re using it,” Adam Chlipala, a professor of computer science at the Massachusetts Institute of Technology, said in an interview. “At the same time, finding these types of AWS errors in a complex environment is not always obvious.”
Since Amazon has invested in more tools to spot these problems, he expects that “over time, there’ll be fewer and fewer of these data breaches.”
UpGuard couldn’t confirm the full size of the Attunity information, which dated to September 2014 and included 750 gigabytes of compressed email correspondence.Backupsofsomeemployees’ accounts for Microsoft OneDrive — a file-hosting service — were also present. Besides system passwords, the researchers also found contact information for sales and marketing customers and targets, and project specifications.
UpGuard also found personal information of about 354 of Attunity’s employees, such as U.S. social security numbers, cash-andstock compensation and dates of birth. Attunity had 298 employees through the end of last year, according to data from a regulatory filing.
It would have been easy for Attunity to conceal the data from public view from the start, UpGuard’s Vickery said.
“It’s a one-to-three click fix,” he said. “It illustrates that there were systemic issues with security.”