Dow Jones server leaks personal info of 2.2 million customers

Private information of more than two million customers of the Dow Jones publishing agency have been exposed online.

According to the IB Times, a configuration error on the Dow Jones & Co. cloud storage server led to sensitive information including names, addresses, account information, emails and the last four digits of credit cards for almost 2.2 million people becoming available to anyone with an Amazon Web Services Account.

The flaw itself was first spotted by cybersecurity researchers from UpGuard back in June. The researchers said the number of affected users might reach four million. According to UpGuard’s Director of Cyber Risk Research, Chris Vickery, the data inside a repository on Amazon’s Simple Storage Service was configured to allow any AWS "Authenticated User" to access and download data.

"Per Amazon's own definition, an 'authenticated user' is 'any user that has an Amazon AWS account,' a base that already numbers over a million users," UpGuard researchers wrote in a blog post, noting that registration for an AWS account is free. "This was due to an internal error, not a hack or attack," a Dow Jones spokesman told The Hill. "We have no evidence any of the over-exposed information was taken."

Even though this wasn’t classified as a cyber-attack, UpGuard warned that it might be abused by malicious actors.

"Customer names, addresses, email addresses, and the smaller amount of phone numbers would be of use to any spammers or digital marketers, but could also be used to far more malign effect," UpGuard researchers said. "With a list of four million subscribers to Dow Jones publications, it is not hard to see how malicious actors could deploy phishing messages against exposed customers.

Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.

Photo credit: Imillian / Shutterstock