Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Millions of Dow Jones Customer Records Exposed Online

American news and financial information firm Dow Jones & Company inadvertently exposed the details of millions of its customers. The data was found online by researchers in an Amazon Web Services (AWS) S3 bucket that had not been configured correctly.

American news and financial information firm Dow Jones & Company inadvertently exposed the details of millions of its customers. The data was found online by researchers in an Amazon Web Services (AWS) S3 bucket that had not been configured correctly.

Chris Vickery of cyber resilience firm UpGuard discovered on May 30 an AWS data repository named “dj-skynet” that appeared to contain the details of 4.4 million Dow Jones customers. Dow Jones disabled access to the files only on June 6.

The files included names, customer IDs, physical addresses, subscription details, the last four digits of credit cards and, in some cases, phone numbers belonging to individuals who subscribed to Dow Jones publications such as The Wall Street Journal and Barron’s.

One of the exposed files stored 1.6 million entries for Dow Jones Risk and Compliance, a risk management and regulatory compliance service for financial institutions.

According to UpGuard, the data was accessible because Dow Jones employees had configured the repository’s permissions to allow access to anyone with an AWS account. There are over one million Amazon cloud users and anyone can register an account for free.

Dow Jones confirmed the data leak, but claimed only 2.2 million of its customers were affected, not 4.4 million as UpGuard claims. The security firm has admitted that there could be some duplicate entries.

Advertisement. Scroll to continue reading.

It’s unclear if affected customers will be notified, but in a statement to The Wall Street Journal the company downplayed the incident, arguing that there is no evidence the data was taken by anyone else and the exposed information does not pose a significant risk to users.

UpGuard disagrees and points out that the data could be highly valuable to malicious actors for phishing and other social engineering schemes.

In recent weeks, the security firm reported finding exposed databases storing data belonging to the U.S. National Geospatial-Intelligence Agency (NGA), American voters, and Verizon customers. Unprotected Amazon S3 buckets were involved in all incidents.

“Yet another demonstration of how services such as AWS are missing basic steps that ensure their data and services are configured in a secure fashion,” Bitglass CEO Rich Campagna told SecurityWeek.

“It’s seems like a no-brainer to implement data-centric security tools on any sensitive information that could get out to the public. This approach could ensure that cloud services deny unauthorized access, and organizations could take it one step further and encrypt sensitive data at rest,” Campagna added. “Companies like Dow Jones, Verizon and anyone else using the public cloud for their infrastructure can easily enforce policies that require internal teams and third-parties to adequately protect any customer data that touches the cloud.”

Related: Dow Jones Suffers Data Breach

Related: Suspect Arrested in JPMorgan, Dow Jones Data Theft Case

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.