There is some really good cloud security and some really bad. The really bad comes into play this week as addresses and demographic details of over 80 million U.S. households ended up exposed on an unsecured database stored on the cloud, researchers said.
The details included names, ages and genders as well as income levels and marital status, said researchers Noam Rotem and Ran Locar.
The owner of the database remains unclear, the researchers said.
The data didn’t include payment information or Social Security numbers.
Rotem and his team verified the accuracy of some data in the cache but didn’t download the data to minimize the invasion of privacy of those listed, he said.
It’s one more example of a widespread problem with cloud data storage, which has revolutionized how we store valuable information. Quite a few organizations don’t have the expertise to secure the data they keep on Internet-connected servers, resulting in repeated exposures of sensitive data.
Rotem found the data was stored on a cloud service owned by Microsoft. Securing the data is up to the organization that created the database, and not Microsoft itself.
“We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured,” a Microsoft spokesperson said in a CNET report.
The server hosting the data came online in February, Rotem found, and he discovered it in April using tools he developed to search for and catalog unsecured databases.
“Yet again we see very private data being exposed, for a large percentage of US households, including name, full address, age, date of birth, and other personal information. This alone could be the basis for massive identity theft,” said Dan Tuchler, CMO of SecurityFirst. “There are laws in most states to protect consumers against this type of careless breach, and there should be a national law. This data was stored in a public cloud. Cloud data protection needs to be taken seriously to prevent this type of breach. Enterprises need to properly encrypt data in the cloud, including encrypting it from its point of creation or collection. They also need to protect data with access policy so that only authorized entities can retrieve it, and report on any unauthorized access so that the data can remain secured.”