Hobby Lobby, an arts-and-crafts retailer, exposed 138GB of sensitive customer data on the public internet.
Due to a cloud-bucket misconfiguration in an Amazon Web Services (AWS) cloud database, information of its customers was exposed, according to a report by an independent security researcher who goes by the handle “Boogeyman.”
The researcher found the issue and reported it to Motherboard in an online chat, according to a Vice post.
Data including customer names, payment card details, phone numbers, and physical and email addresses, and employee names and email addresses leaked as a result of the flaw. Source code for the company’s app had also been exposed.
The exposed data belonged to about 300,000 customers and totaled 138GB.
Boogeyman shared screenshots to prove the exposure of the data.
Although the issue has now been resolved, it’s unclear whether anyone stole the information before the database had been secured.
“We identified the access control involved and have taken steps to secure the system,” Hobby Lobby told Motherboard.
Cloud misconfigurations are a common threat for many organizations. An analysis last fall found that 6% of all Google Cloud buckets are misconfigured and exposed their contents to the public.
“The Hobby Lobby incident is the latest example of why we need to take public cloud threat vectors so seriously,” said Douglas Murray, CEO at Valtix, told Threatpost. “In 2020, spend in public cloud exceeded spend in on-prem data centers for the first time. The hackers are doing their own version of ‘lift and shift’ and are aggressively moving to where the market is going.”
Due to the pandemic, many organizations have transitioned to the cloud. They have massive infrastructure that may span thousands of host servers, but immature security practices and measures in place.
Amazon’s S3 service makes it simple to move organizational data into the cloud. But that simplicity and the speed at which organizations scale their services up lead to misconfigurations of these buckets and the data exposed.
To mitigate the risk of a data leak, organizations have to ensure they secure every step of their infrastructure, from individual endpoints to the cloud intself.