With the record-setting numbers of data breaches each year, it’s easy to overlook the “smaller” incidents that don’t carry quite the same potential for harm.
In what is being commonly referred to as a “data exposure” rather than a data breach, consumers’ information is being left unsecured online for anyone to find; it’s not quite the same as a hacker breaking into a company’s servers and stealing information, but in some ways, it’s worse.
Data exposure happens when someone posts information to what they might have thought was a secure server, only they didn’t institute all the security protocols that are required in order to keep other people from seeing it. It’s been happening a lot lately, especially with companies who rely on Amazon Web Hosting services; AWS by default is set to strict privacy settings, but someone could accidentally undo those settings and leave them wide open to anyone who happens to have access to AWS sites.
BroadSoft, a communication software provider used by Time Warner Cable, both of which are owned by Charter Communications, uploaded a 600GB cache of customer records to two different AWS storage repositories. This cache could represent as many as 4 million customers’ records, although they’ve already discovered that some of the records were duplicates, so the number might not be that high. The data was not protected and therefore could have been viewed by anyone who managed to find its location online.
This is why we can say that data breaches are bad, but data exposures could be worse. In the event of a data breach, there are often signs that someone has accessed the data, and therefore the notification procedures that come into play are worthwhile. In the event of a data exposure, however, customer notification might not even be legally required; if the company chooses to notify customers, then they may have done so for no reason at all, compromising their customers’ trust in them.
While BroadSoft does know that the public internet had access to these files, they don’t know if anyone stumbled upon them or used them in any way. The exposed information included usernames, emails addresses, MAC addresses, device serial numbers, and financial transaction information but not credit card data. Many of the records included customers’ phone numbers, billing addresses, and other contact info.