Dow Jones exposes 2.2M customers’ data in error,
The information of more than 2 million Dow Jones customers was left exposed online after the company made an error in the access preferences on a cloud storage system, the publisher said Monday.
The names, addresses, account information and last four digits of credit-card numbers of some subscribers of Dow Jones publica- tions — including The Wall Street
Journal and Barron’s — was available to anyone who had an Ama- zon Web Services account.
Chris Vickery, director of cyber risk research at UpGuard, found the exposure May 30 while searching for exposed data on AWS servers. He said Dow Jones said it had secured the data on June 6. Dow Jones said the data was secured immediately after the company was notified, and it has “no evidence any of the overexposed information was taken.”
Vickery believes the employee who set the bucket to be viewed by “Authenticated Users” did not realize that meant the information would be available to all AWS users, not just Dow Jones employees.
The Wall Street Journal reported on the exposure Sunday.
The data exposure follows Verizon’s admission last week that a vendor had left the names, addresses — and in some cases, PINs — of 6 million customers exposed on Amazon’s cloud storage platform. The Dow Jones leak had the potential to be worse because it contained partial creditcard information.
Dow Jones did not notify customers because the information had not been stolen and “the over-exposed data did not include full credit card or account login information that could pose a significant risk for consumers or require notification,” it said in a statement to USA TODAY.
AWS operates under a “shared responsibility” model with the customer. The fast-growing Amazon unit controls the physical security and operating system and gives customers encryption tools, best practices and other advice to help them maintain security of their data. A spokesperson didn’t immediately respond to a request for comment.