Site icon Sophos News

News in brief: veterans among S3 leak victims; court rules on email privacy; man jailed for VPN sales

Your daily round-up of some of the other stories in the news

Veterans and TWC users’ data spills from leaky buckets

It’s only two weeks since we last wrote about yet another organisation spilling data online thanks to a misconfigured Amazon S3 bucket – and it’s not a new problem – so it gives us no pleasure to report not one but two more data breaches apparently resulting from someone not securing their S3 database.

More than 4m Time Warner Cable customers in the US are the latest victims of a breach, with Kromtech reporting that some 600GB of data visible online, apparently thanks to TWC’s technology partner Broadsoft failing to secure a database.

Broadsoft told Gizmodo that it didn’t think the data exposed was “highly sensitive”, adding: “We immediately secured these Amazon S3 bucket exposures and are continuing to aggressively investigate these exposures and will take additional remedial actions as needed.”

But it’s not just TWC customers whose data has been spilled online – the personal details of thousands of American military veterans have also been leaked thanks to another misconfigured S3 bucket, said Upguard, which discovered the unsecured bucket.

Upguard analyst Dan O’Sullivan said that – as with the TWC breach – the data was spilled thanks to a third-party partner, in this case a private security firm called TigerSwan, which hires former service personnel. O’Sullivan added: “The exposed documents belong almost exclusively to US military veterans, providing a high level of detail about their past duties, including elite or sensitive defense and intelligence roles.”

Amazon has provided guidance on how to make sure your S3 buckets are secure, and we can’t say this often enough: if you have responsibility for a database that’s stored in the cloud, make sure that it’s not spilling sensitive information online.

Court rules on email privacy at work

A Romanian man who was fired 10 years ago for sending personal messages at work should not have lost his job, the European Court of Human Rights has ruled.

The ruling is the culmination of a process that began when Bogdan Barbulescu was sacked after sending personal messages to his brother and his fiancée via a Yahoo Messenger account he set up at work. His employer had used surveillance software to check up on him, and a Romanian court ruled in 2007 that the company had been within its rights to do so.

However, the ECHR has now ruled that the Romanian court had failed to protect his right to privacy and that his employer had not warned him that it monitored communications, nor the possibility that it might access his messages.

There was no suggestion that Barbulescu had put his employer at risk by using the account to communicate with his family, and the court said that there hadn’t been a sufficient assessment of whether the company had legitimate reasons to monitor his communications.

Pam Cowburn of the Open Rights Group in London said: “The European court’s ruling is welcome. In some workplaces it may be necessary for emails to be monitored, but if employers are going to do so, they should make staff explicitly aware of it.”

Chinese man jailed for selling VPNs to bypass Great Firewall

A man has been jailed for nine months for in China for selling VPNs that allowed users to bypass the “Great Firewall of China”. Deng Jiewei, 26, from Guangdong province, sold VPN software via his website two years ago, and was arrested in October last year.

China has been cracking down on access to the web and social media platforms, driving many to circumvent the restrictions by using VPNs. Beijing’s crackdown was stepped up in January, forcing vendors to stop selling VPN software and leading Apple to remove VPNs from its Chinese app store.

Deng was sentenced back in March, but it was only over the weekend that news of his jailing was picked up over social media, reported the South China Morning Post.

Catch up with all of today’s stories on Naked Security


Exit mobile version