BroadSoft, the software and service provider trusted with the safety of the customer records of Time Warner Cable, exposed millions of customer records online after its two cloud-based AWS S3 buckets were discovered open to the public. The error by Broadsoft affected almost four million customers; the breach is currently under investigations, according to sources.
The breach was discovered by the researchers at Kromtech Security Center, who later informed Broadsoft about it. According to Kromtech, the leaked information included transaction numbers, MAC numbers, user names, account numbers, types of service purchased as well as some internal development information like SQL database dumps and code with login credentials. The data was collected from November 10, 2010, to July 7, 2017.
Kromtech further wrote “They used Amazon’s cloud but misconfigured it by leaving it accessible. Amazon AWS buckets are protected by default but somehow were left publically available. It is most likely that they were forgotten by engineers and never closed the public configuration. This would allow anyone with an internet connection to access extremely sensitive documents.”
Commenting on the issue, Jeff Hill, the director of product manager of third-party risk management solutions provider Prevalent, said, “The Broadsoft episode underscores the relevance of the age-old aphorism ‘never attribute to malice that which can be reasonably explained by stupidity.’ Visibility into your vendors’ controls via a comprehensive third party risk management program provides insight into not just the controls and technologies that prevent or mitigate attacks by the bad guys, but also the procedures and policies that are meant to prevent untrained or careless employees acting innocently to inadvertently expose sensitive data in the vendors’ custody.”
