Millions of records relating to customers of Time Warner Cable and other cable companies were stored on a publicly accessible Amazon Web Services cloud system by service provider BroadSoft, revealing a “massive amount of sensitive information,” according to a report from Kromtech, makers of the MacKeeper security tool.
Charter Communications, which bought Time Warner Cable last year, urged users of the MyTWC app to change both their usernames and passwords, and said in a statement to Gizmodo that the data was removed once the contractor was aware of the issue. Among the more than 4 million records, spanning a period from 2010 to July 2017, are data on user names, Mac addresses, billing addresses, and phone numbers for hundreds of thousands of TWC customers.
“We apologize for the frustration and anxiety this causes, and will communicate directly to customers if their information was involved in this incident,” said a spokesperson.
In 2015, researchers found that a basic flaw on Charter’s website revealed the personal data of thousands of customers. And Kromtech itself had a similar issue that year, when security researcher Chris Vickery found usernames and passwords for millions of customers stored on an insecure database server.
Since then, these kinds of breaches—often involving publicly-visible Amazon Web Services servers—have become routine. Lately, we’ve seen:
- Millions of Verizon customer PINs, names, addresses, and other data, accidentally left on an insecure AWS server by a contractor
- 198 million records on U.S. voters posted on an insecure AWS system, also found by Vickery and announced in June
- Data on 3 million World Wrestling Entertainment fans found publicly accessible on AWS by Kromtech, announced in July
- Up to a million people’s partial social security numbers and credit scores on an insecure AWS system, revealed by Kromtech in April
- Membership data from an HIV-positive dating app
Many of these databases have been discovered by security researchers who simply guess domain names with common words and company names on popular cloud providers like AWS, or who scour the internet for database servers configured without usernames or passwords.
AWS’s Simple Storage Service, where much of this data has been found, defaults to making files only accessible with proper security credentials, requiring programmers or web users to proactively make files public.
Thanks to a chronic shortage of skilled tech workers, it’s hard to find employees with the necessary skills and training to consistently avoid such mistakes, Vickery told me in July. (While public leaks seem more prevalent on AWS than on rival services from companies including Google, Microsoft, and Dropbox, some speculate that may be because the company dominates the cloud market, with a roughly 34% market share compared to runner-up Microsoft’s 11%.)
And people often cut corners to make data more easily accessible within the organization, according to Vickery.
“If you have a large amount of people using any product to store data, and that product allows for public access, then a certain percentage of people for whatever reason are going to turn on those public access settings,” he said. “It’s just the laws of statistics—you have sufficient number, somebody’s gonna do it.”