Three terabytes of data from multiple servers of Canadian multinational media conglomerate Thomson Reuters corporation was left exposed online. Researchers at Cybernews discovered the data that included 6.9 million unique logs with corporate and legal data. The data from the exposed servers were taken down after the researcher contacted the news media giant.
What was found?
Researchers maintained that finding the exact amount of data that was exposed was impossible without ‘crossing the ethical boundaries’. The discovered samples indicated that the data was logged recently, with some of it being published on October 26. Moreover, the exposed 3TB of sensitive data, worth millions of dollars on underground criminal forums, was visible in plaintext or readable format, making it understandable for anyone who finds it. The data included:
- Individuals and organizations’ sensitive screening information
- Login credentials and reset logs
- Email addresses
- Time of password change query
- Structured query language (SQL) logs of searched data by Thomson Reuters’ clients
- Legal information of some businesses and individuals
- Internal screening of YouTube
- Connection strings to databases
Investigation into the secure sockets layer (SSL) certificate of the web servers, domain name system (DNS) system, and ElasticSearch instance revealed that the data belonged to Thomson Reuters corporation. The databases were exposed publicly since October 21.
The three servers of Thomson Reuters Corporation
Reuters representative spoke with the publication about their immediate response to the incident and said, “Upon notification, we immediately investigated the findings provided by Cybernews regarding the three potentially misconfigured servers.” However, the organization maintained that the two servers were designed to be accessible to people. And the third one is a non-production server for the ‘ONESOURCE’ global trade product, which is one of the company’s products. Moreover, the third server stores application logs linked to a small subset of customers.
How was the data exposed?
Researchers believe that the information became public due to a misconfiguration of the AWS Elastic load balancing service. It followed different rules that were not configured well to tackle access control rules which perhaps led to the exposing of company data.
Researchers argued that such information could have allowed cybercriminals to launch phishing attacks, impersonate individuals to commit other frauds, send fake company invoices for monetary fraud, extort the business on some levels, launch ransomware attacks, gain more access and data, etc.