Cayman Islands investment fund left data viewable on unsecured Azure blob
A Cayman Islands-based investment fund has exposed its entire backups to the internet after failing to properly configure a secure Microsoft Azure blob.
Details of the fund’s register of members and correspondence with its investors could be freely read by anyone with the URL to its Azure blob, the Microsoft equivalent of an Amazon Web Services S3 storage bucket.
As well as publicly exposing who its shareholders are, how many shares they hold, and the value of those holdings, the fund – which The Register is not naming after it agreed to talk in depth about its incident response process – had also saved a scanned copy of its online banking PIN to the blob. The Register viewed a subset of files from the blob to confirm their ownership and authenticity.
The blob address was indexed by a specialised search engine and was pointed out to The Register by an incredulous infosec source who wisecracked: “Money money money… must be funny… in a rich man’s world.”
The unnamed fund’s incident response consisted of disregarding the initial notification from The Register before asking a staffer with a compsci degree if he thought there was cause for concern. Luckily, that person realised what we were trying to tell them.
He said: “We use Azure for our server backup, it’s not our day-to-day server: people have set that up for us as a backup for disaster recovery and so on.”
The person, who described himself as a compsci grad with a strong maths background, said his bosses asked him to look at our email again just in case there was something more to it “than a phishing attempt”.
Documents seen by The Register in the unsecured blob stretch back years and include: scans of directors’ passports; letters to and from investors including commented files sent during commercial negotiations; term sheets; share certificates (including blank copies); documents signed by its directors and more.
The compsci chap continued: “This was the [backup] solution provided by our IT vendor in Hong Kong which we saw as fairly normal cloud provision. Clearly there’s some security issue there!”
He also added that the fund’s IT provider had removed all of its files from its Azure blob as a result of the breach, while expressing some doubts about the IT provider’s claim that Microsoft had ignored their requests for help over the weekend.
The fund, which falls into the smaller end of the SME bracket when judged on headcount, appears to have the same level of in-house IT expertise as any other small firm whose main business is not focused on IT; not a lot. They were completely unaware of how Azure operated or how their files had been exposed to anyone with a web browser and appeared to be totally reliant on their IT provider for everything other than basic office productivity software.
Read More at Source – The Register