ABC exposes sensitive data in S3 bungle

The Australian Broadcasting Corporation (ABC) has become the latest organisation to expose sensitive information through a misconfigured Amazon Web Services S3 storage bucket.

Security firm Kromtech revealed the government-funded broadcaster had accidentally leaked "a trove of data that is connected with ABC Commercial” including “production services and stock files that should not have been publicly available online".

The ABC Commercial business handles things like licensing, merchandise sales, content marketing, events and some digital services. 

It left 1800 daily MySQL database backups from 2015 to now exposed in the S3 bucket, which was configured to be publicly acccessible.

The data also included thousands of emails, logins and hashed passwords for ABC Commercial users, requests for licensed content from other broadcasters, and a secret access key and login details for another S3 bucket.

The exposed ABC buckets had been indexed by public search engine Censys, and were identified by Kromtech during a regular audit of misconfigured S3 buckets earlier this week.

Kromtech said the ABC's IT team had secured the buckets minutes after they were notified of the problem.

The ABC confirmed that it had been notified of the breach yesterday.

"The broadcasters’s technology teams moved to solve this issue as soon as they became aware," the spokesperson told iTnews.

Misconfigured S3 buckets have been a big problem for Amazon customers in recent months following high-profile leaks at the likes of Accenture, Dow Jones, Verizon, Viacom and Booz Allen Hamilton.

Two weeks ago iTnews revealed a researcher had discovered 50,000 records belonging to a handful of Australian government agencies and several private sector companies exposed in an S3 bucket.

AWS first issued a warning to its S3 customers in July to make sure their access controls on their buckets were properly configured, and last week made changes to the product to try to prevent recurrences.

With Juha Saarinen