Two million Dow Jones customer details exposed via cloud

Personal details and some credit card info were vulnerable to hackers

At least two million Dow Jones customers have had personal details exposed online via an unsecured cloud file repository.

Dow Jones, which owns the Wall Street Journal, confirmed to IT Pro that approximately 2.2 million customers were affected, though cybersecurity firm UpGuard estimates the number to be closer to four million accounts.

Advertisement - Article continues below

80% of respondents to the Cyber Risk Appetite Survey have experienced at least one serious security incident in the last year. Download the whitepaper for more research:

Download now

The exposed information included the names, addresses, account information, email addresses, and last four digits of credit card numbers.

There were also 1.6 million exposed entries in a collection of databases known as "Dow Jones Risk and Compliance", which are subscription-based programmes used by financial institutions to understand how to be compliant with anti-money laundering regulations.

The data was found on an Amazon Web Services (AWS) S3 bucket, and had been configured to allow any AWS "Authenticated Users" to download the data. Amazon defines an authenticated user as any person with an AWS account, of which there are over a million users, and is free to sign up to.

A spokesperson for Dow Jones told IT Pro: "We were made aware that certain Dow Jones/WSJ subscriber and Risk & Compliance content was over-exposed on Amazon Cloud (not the open internet). This was due to an internal error, not a hack or attack. The customer information included basic contact information; it did not include full credit card or account login information that could pose a significant risk for consumers or require notification."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The spokesperson added: "The Risk & Compliance data included content curated exclusively from publicly available sources such as newspaper articles, government issued watch lists, and other publicly available information; it did not include any customer information. We have no evidence any of the [exposed] information was taken. Even so, we immediately secured the data once we became aware of the problem. We take the security of Dow Jones information very seriously."

Dan O'Sullivan, cyber resilience analyst at UpGuard, stated that the unsecured information "would be of use to any spammers or digital marketers, but could also be used [for a] far more malign effect". Malicious actors, for instance, could use the information for phishing, pretending to be from the Wall Street Journal and telling customers their account had been compromised or that there was a problem with their subscription.

Dow Jones isn't the only company to have exposed customer details online via an AWS server - a Verizon data breach last week saw six million customer records compromised on an unprotected AWS S3 storage server. Each record included the customer's name, mobile number, and account PIN as well as their home and email address, and Verizon account balance.

Advertisement - Article continues below

Verizon stated that there was no loss or theft of Verizon customer information and that "the overwhelmingly majority of information in the data set had no external value, although there was a limited amount of personal information included".

Meanwhile, the WWE exposed three million fans' accounts online in the same manner, and the AA also suffered a similar fate.

RSA's Cyber Risk Appetite Survey uses research from 272 risk and security professionals across the globe. Download it for free here.

Download now

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Recommended

Visit/security/355013/10-quick-tips-to-identifying-phishing-emails
Security

10 quick tips to identifying phishing emails

16 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/354941/panda-security-to-be-acquired-by-watchguard
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/cloud/355098/ibm-dedicates-supercomputing-power-to-coronavirus-researchers
high-performance computing (HPC)

IBM dedicates supercomputing power to coronavirus research

24 Mar 2020