Data of 7 Million People Exposed Via US Marketing PlatformA Misconfigured AWS S3 Bucket Was Left Without Any Encryption
A massive data breach affecting an estimated 7 million people has been uncovered. The victims are primarily leads and prospective customers of the American marketing automation platform Beetle Eye, researchers say.
Beetle Eye, which is an online tool that allows marketers to streamline their email marketing campaigns, had a misconfigured Amazon Web Services cloud storage bucket exposing more than 6,000 files, totaling in excess of 1 GB of data, according to researchers at Website Planet.
The researchers say that the AWS S3 bucket was left without any password protection or encryption.
They say the exposed records contained several forms of PII related to the leads, or potential customers, of companies using Beetle Eye’s marketing automation platform. "We found more than 10 different folders in Beetle Eye’s open bucket. Each file within these folders contained data for one of the exposed clients," the researchers say.
In total, the researchers uncovered three different datasets on Beetle Eye’s bucket: unnamed leads, GoldenIsles.com leads and Colorado.com leads.
Shane Curran, CEO at Evervault, says companies storing personal information in plaintext without encryption is inexcusable, as is storing sensitive data without a password.
"As an industry, we must do better to safeguard information and protect people's personal data. These incidents highlight the failure to employ basic security protocols on servers that essentially contained the "keys to the kingdom." Data leaks are not only damaging to breached organizations but are particularly worrying for the people whose information spills out onto the internet, leaving them at risk of being targeted in the near future," Curran says.
Researchers identified the owner of the unsecured Amazon S3 bucket on Sept. 9, 2021, using the references and links to Beetle Eye. They sent a responsible disclosure of the data breach to Beetle Eye and Atlantis Labs, Beetle Eye’s parent company, on the same day and sent two follow-up messages to Beetle Eye over the next two weeks.
On Sept. 15, 2021, the researchers sent a responsible disclosure of the breach to AWS, and on Sept. 21, 2021, they sent a responsible disclosure to the U.S. Computer Emergency Readiness Team.
A spokesperson for Beetle Eye was not immediately available to comment.
Beetle Eye has an estimated annual revenue of less than $5 million, according to Zoominfo. The researchers say that other than GoldenIsles.com and Colorado.com, Beetle Eye's high-profile clients include the Hilton Sandestin Beach, the Marigot Bay Resort, and Miles Partnership.
Third-Party Data Exposed
The researchers discovered an unnamed leads dataset containing numerous forms of lead PII that were collected for an unnamed organization.
During analysis of a portion of the files, the researchers found around 8, 500 log entries of unnamed PII, but the true volume of records is likely far greater, as they could only check a sample of records - for ethical reasons.
They were also able to identify "change of address" information featured among the unnamed dataset's logs. This information is associated with a citizen's official request to change their postal address.
"The AWS S3 bucket contained records of people’s old and new postal addresses, which is why we think these are 'change of address' records. The lead PII in unnamed leads includes: full names; first names and surnames, addresses (current and previous), ZIP codes (current and previous) and cities (current and previous)," the researchers say.
"Yet another publicly accessible S3 bucket with sensitive information. There used to be a time when we could write off such practice to neglect, but Amazon put in several controls to ensure S3 buckets are not publicly exposed unless the owner goes in and knowingly changes the access policy to make the bucket public," says Pascal Geenens, director of threat intelligence at Radware.
The researchers also collected a set of data from the Golden Isles tourist board and its associated website, GoldenIsles.com. In the portion of files they analyzed, the researchers found more than 320,000 log entries of data relating to the leads of GoldenIsles.com.
"However, there were likely more log entries contained in other files of this type. GoldenIsles.com leads files contained several forms of lead PII, along with survey answers and data collection information: full names, addresses, email addresses, phone numbers, company name (if any), data collection information; i.e. where the data on leads was acquired, survey answers; questions and each lead’s answers relating to the Golden Isles and GoldenIsles.com," researchers say.
The third set of data was compiled information about leads for the official tourist board of the state of Colorado, along with its website Colorado.com. Researchers estimate that there were more than 590,000 log entries of this type.
The Colorado.com leads files contained several forms of lead PII, as well as survey answers that include full names, addresses, email addresses, survey answers and questions and answers about Colorado and Colorado.com magazine subscriptions.
The researchers say that Beetle Eye’s bucket was live and was being updated at the time of discovery. They estimate that the log counts for each dataset are the minimum based upon the sample of files they observed in the bucket, and they suggest that the true number of logs is far greater.
"Estimates suggest 7 million unique users were exposed in this data breach. This estimate is based on a sample of roughly 0.124GB of .csv files, taking duplicates into account. Beetle Eye assigns a unique ID to each 'lead' on the database, which helped us figure out the duplicates," the researchers say.
The researchers also say that Beetle Eye might face various sanctions and damages as a result of this data exposure, and leads of the aforementioned organizations that use Beetle Eye’s platform could also be affected.
Geenens says that the leak from Beetle Eye affects GoldenIsles.com and Colorado.com, who were paying customers of the nurturing and marketing platform. It demonstrates again that auditing the security controls and processes of partners and contractors is as important as internal audits, especially when you entrust those third parties with sensitive information that can affect your customers and ultimately your reputation, he says.
The researchers say that this misconfiguration ultimately affects potential customers of other organizations - entities using Beetle Eye’s platform.
"Exposed leads on the database may have never done any business with each company, they are potential customers," the researchers say. "This points to the vulnerability of our information and the trust we place in those who collect it - even if we don’t hand over money. For example, it appeared that one of the companies collected data across social media giveaways, email sign-ups, website cookies, and various other sources."
The researchers estimate that roughly 99% of the users included in the bucket appear to be located throughout the United States and that a small portion of the bucket’s content is for Canadian citizens.
The researchers warn that they could not discover whether malicious hackers have accessed the personal data stored on Beetle Eye’s database and thus whether users may be targeted with scams, phishing attacks and malware.
"The attacker could convince the user to click a link or provide additional forms of PII that could aid in further fraudulent crimes. Links could contain malware which, once clicked, could download a malicious payload onto the user’s device," the researchers say.
Beetle Eye could also be affected by phishing attacks, and rival businesses could phish for intellectual property or industry secrets from Beetle Eye, the researchers say.
"Phishers could pose as a representative of one of Beetle Eye's clients or as a Beetle Eye employee, referencing the exposed list of 'leads' to build trust with Beetle Eye staff. From here, the attacker could ask questions about Beetle Eye's business operations. Rival businesses could target leads with their own marketing/sales communications, eventually stealing potential trade from Beetle Eye clients."
The researchers say that Beetle Eye could be subject to sanctions from the U.S. Federal Trade Commission if they have mishandled consumer data.
The researchers say that Beetle Eye may have broken the Federal Trade Commission Act by exposing the personal data of US consumers. "Under Section 5 of the FTC Act, the maximum fine for mishandling US consumers’ data is $100 million with the potential arrest of guilty individuals," they say.