The Website Planet security team discovered an Amazon S3 bucket owned by logistics giant D.W. Morgan that was left unsecured online.
The S3 bucket contained more than 100 GB of sensitive data relating to shipments and the company’s clients, including some Fortune 500 companies such as Cisco and Ericsson.
The researchers discovered the open AWS S3 bucket on November 12th, 2021, and notified the company the same day. On November 16th, 2021, D.W. Morgan secured the S3 bucket.
According to researchers, the database contained more than 100 GB worth of data with 2.5 million files detailing financial, shipment, transportation, personal and sensitive records belonging to D.W. Morgan’s employees and clients worldwide. These included Global 500 company Ericsson and Fortune 500 company Cisco.
Exposed data included:
Although, the database was discovered on November 12th, 2021 the details of it were only shared by Website Planet last week.
At the time of this writing, it is not clear whether the content of the S3 bucket was accessed by threat actors while it was unsecured online.
“We cannot know whether bad actors acquired the bucket’s content. If malicious actors have accessed the bucket, D.W. Morgan and its clients could be targeted with criminal activities.” reads the post published by Website Planet. “D.W. Morgan could also face legal sanctions from several jurisdictions.”
Clients of the company could be targeted by malicious activities, such as phishing campaigns and scams, due to the exposure of their data.
“While we cannot and do not know whether malicious actors have accessed the bucket’s content, there are various risks that exposed clients could face if anyone has downloaded or read the sensitive data stored on D.W. Morgan’s misconfigured bucket.” concludes the post. £In particular, businesses could experience criminal activities and forms of cybercrime as a result of the open bucket.”
(SecurityAffairs – hacking, D.W. Morgan)