The Website Planet security team identified an open Amazon S3 bucket belonging to logistics behemoth D.W. Morgan. More than 100 GB of sensitive data about shipments and the company’s clients, including several Fortune 500 businesses like Cisco and Ericsson, was stored in the S3 bucket.
On November 12th, 2021, the researchers identified the open AWS S3 bucket and alerted the firm the same day. D.W. Morgan won the S3 bucket on November 16th, 2021. As per researchers, the database held more than 100 GB of data, including 2.5 million files containing financial, shipping, transportation, personal, and sensitive details belonging to D.W. Morgan’s employees and clients throughout the world. Ericsson, a Global 500 firm, and Cisco, a Fortune 500 corporation, were among them.
Even though the database was found on November 12th, 2021, Website Planet just revealed its information last week. It’s unclear whether the content of the S3 bucket was accessed by threat actors while it remained unprotected online at the time of this writing.
“We cannot know whether bad actors acquired the bucket’s content. If malicious actors have accessed the bucket, D.W. Morgan and its clients could be targeted with criminal activities.” According to the Website Planet post. “D.W. Morgan could also face legal sanctions from several jurisdictions.”
Due to the company’s clients’ data vulnerability, harmful activities such as phishing campaigns and frauds might target them.
While it cannot be known whether malicious actors have accessed the bucket’s content, several risks that exposed customers may face if the sensitive data stored on D.W. Morgan’s misconfigured bucket has been downloaded or read, concludes the post. “£In particular, businesses could experience criminal activities and forms of cybercrime as a result of the open bucket.”