Srikanth said while public storage buckets on Amazon serves an important use case of disseminating publicly accessible information to users in a fast and effective manner, companies should be careful about putting up personally identifiable information/confidential documents there and restrict access if they do choose to upload on third-party servers. For instance, Swiggy has delegated its HR functions to a start-up Hirexp, which seems to have uploaded resumes, offer letters and recordings of interviews on Amazon servers. While the company said there was no leak from its end, Business Standard
reviewed these documents and recordings, which were made private by Tuesday evening.
WHAT STANDS COMPROMISED
A website, grayhatwarfare, surfaced last week with publicly available data
Data listed on the site comes from Amazon servers used by companies
Indian firms caught napping as private details of individuals were leaked
Diagnostic reports, doctors’ signatures, offer letters, bank statements found in the data stores
Companies such as Swiggy and Gromor Finance affected by the leak
About 1.8 million individuals affected in just 5 major leaks detected so far
“We take information security seriously, and have put robust guards in place to ensure we protect private information,” Swiggy said.
HireXP, on its part, said that Swiggy offer letters were dummy ones even as the ones reviewed showed clear break up of people’s salaries, joining dates, positions and other details of employment.
“Swiggy is not using HireXP panel to send offer letters and the letters available on the portal are dummy letters,” HireXP stated. Mumbai-based digital lender Gromor Finance seemed to have exposed bank statements and details of its entire customer base. The company fixed the exposure as soon as it was reported to it, but maintained it was only a test environment. “We had a test environment with random information for testing purposes. At no point was any loan information used or exposed in the test environment. As a matter of abundant caution, this test environment was terminated as soon as it came to our attention,” said Santosh Shetty, co-founder, Gromor Finance. It was also discovered that some of these buckets were “writable”, implicating that the data could be modified by those accessing them. One such bucket had 500,000 resumes, even as the owner of the database couldn’t be identified.
It is difficult to ascertain exactly how many individuals might have been affected by these leaks, Srikanth said.
While the RBI has been focusing on data localisation, there are few enforcement capabilities that limit flow of information, improve data security and privacy in India.
“Although most companies identified in the leaks were hosting in India, leaked bank statements were available globally. Health records of people were available freely. We need a data protection law with stringent penalties such as GDPR, so companies treat user data with respect, sensitise their employees about the importance of personal data,” Srikanth said.
Amazon Web Services said the issue of leaky buckets is not from their end but comes through developers who often use default public sharing settings for private information.
“Amazon S3 is secure by default. If customers use the default configuration, the bucket locks down access to just the account owner and root administrator. Well over a million customers continue to use Amazon S3 safely and securely. A core tenet of Amazon Web Services since the very start has been to allow builders the flexibility to change our default configurations to suit whatever style of app they’re constructing,” said a spokesperson from AWS.