Unprotected Azure blob exposes 500,000 confidential documents

[German]A British app developer made a big mistake by running a Microsoft Azure Blob unprotected in the cloud. As a result, over 500,000 confidential documents, some with medical data, could be accessed publicly and without any access control.


Advertising

What is Azure Blob?

Azure Blob Storage is Microsoft's object storage solution for the cloud. Blob storage is optimized for storing large amounts of unstructured data. Unstructured data is data that does not conform to any particular data model or definition (i.e. text or binary data, for example). More details can be found in the article Introduction to Azure Blob storage.

The data leak incident

II came across this data protection incident days ago, which occurred in the UK and was documented by The Register. Surrey-based business app developer Probase had been using a Microsoft Azure blob to store the data it needed. The blob belonged to one of the developer's CRM products and contained 587,000 files, from backed-up emails to letters, spreadsheets, screenshots and more.

The fact is that this Microsoft Azure blob from the cloud was completely unsecured and accessible via the Internet. Anyone who knew the required URLs could access the stored information. There were no security controls for the Azure blob, meaning the data could be accessed without authentication. If it had just been test data, it could have been shrugged off. But the developer was using real data from specific operations.

The unsecured Microsoft Azure blob contained more than half a million confidential and sensitive documents from customers, which were thus freely accessible on the Internet. According to The Register, the information contained in the Azure Blob included occupational health reports, U.S. company insurance claims documents underwritten by Lloyds of London, and private opinions from senior lawyers about younger colleagues applying for promotion.

The blob also included security documents from FedEx shipments, internal complaints from food company Huel, an investment management firm and countless others – and, in at least one example that The Register says it saw, a passport scan.


Advertising

The address of the unsecured Microsoft Azure Blob was discovered by Oliver Hough, an Infosec researcher. The latter is increasingly concerned about the security of data stored in blobs (Azure, AWS, etc.). then passed the information on to The Register in the hope that access would be blocked once the owner of the Azure Blob was identified. The Register quotes the security researcher as saying:

"Finding a storage bucket like this, where a provider has put all of its customers' files into a single bucket instead of creating separate storage for each customer, shows that even in 2020, the basics of secure design are still not being followed."

In a statement to The Register, Probase director Paul Brown indicated that they were working with the Information Commissioner, but declined to comment on how long the Azure Blob had been publicly available. More details, including those on affected UK customers, can be found here. The case shows once again how laxly highly sensitive information is often handled and how little security thinking is present among developers.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *