Attunity, a Qlik-owned data integration and big data management company whose solutions are used by over 2,000 enterprises and half of the Fortune 100 firms, exposed a significant amount of sensitive data through unprotected Amazon S3 buckets.
On May 13, a researcher at cyber resilience company UpGuard came across three unprotected AWS cloud storage buckets belonging to Attunity. An analysis revealed that the buckets had stored a vast amount of data — the exact size was not determined, but a one-terabyte sample was downloaded for analysis — including email backups, business documents, and employee OneDrive account backups containing emails, passwords, project specifications, and marketing and sales contact information.
The exposed buckets also stored customer-related information. Some examples provided by UpGuard include Netflix database authentication strings, an invoice for a TD Bank software update, and slides describing a project for car maker Ford.
In the exposed files, UpGuard also discovered credentials for Attunity systems and its corporate Twitter account, and employee personal information, including names, salary, date of birth, and employee ID numbers. Researchers determined that the employee IDs might actually be social security numbers.
The oldest files were uploaded to the storage buckets in September 2014 and the most recent were uploaded just days prior to UpGuard’s discovery. However, the cybersecurity firm says it’s unclear when these files actually became publicly accessible. UpGuard informed the vendor of its findings on May 16 and the exposed buckets were secured shortly after.
Qlik, which acquired Attunity earlier this year for $560 million, told SecurityWeek that Attunity customers deploy and operate the software directly in their own environments, and the company doesn't actually store or host sensitive customer data.
“Following Qlik's acquisition of Attunity in May, and upon becoming aware of the issue, Qlik applied its security standards and best practices to the Attunity environments, including monitoring by Qlik's 24x7 security operations center,” Qlik said via email.
“We are still in the process of conducting a thorough investigation into the issue and have engaged outside security firms to conduct independent security evaluations. We take this matter seriously and are committed to concluding this investigation as soon as possible. At this point in the investigation, indications are that the only external access to data was by the security firm that contacted us,” the company added.
Related: Misconfigured Server Leaks Oklahoma Department of Securities Data
Related: Amazon S3 Bucket Exposed GoDaddy Server Information
Related: Data Aggregator LocalBlox Exposes 48 Million Records