WizCase’s security team, led by Ata Hakçıl, found a significant breach affecting Reindeer, an American marketing company previously associated with Patrón Tequila, Tiffany & Co. and other brands. This breach exposed customers’ names, date of birth, email addresses, physical addresses, phone numbers and more.
WizCase’s ethical cyber researchers discovered a misconfigured Amazon S3 bucket belonging to Reindeer containing over 50,000 files and totaling 32GB of data. The Reindeer Company is a defunct American advertising company. Because a now-defunct company owns the bucket, WizCase reached out to Amazon regarding the breach as it is the only contact that could help secure the breach. WizCase also informed the US-Cert, hoping they would reach out to the previous company owner.
The misconfigured S3 bucket compromised the details of over 300,000 customers from various Reindeer clients. Patrón was the client with the most customers’ PIIs exposed, but other Reindeer’s clients were left vulnerable, including those of the UK clothing brand Jack Wills.
Tyler Shields, CMO at JupiterOne, says, “Misconfigurations and errors in deployment have been exacerbated by the race to move technology to the cloud and a lack of visibility and consistent security within cloud-native deployments. Unfortunately, it is very easy to make configuration and permissions/access errors within cloud-native deployments. Moving forward, enterprises moving to the cloud would do well to have some system in place that tracks cyber asset state and alerts on errors for their entire cloud infrastructure.
The information exposed included about 1,400 profile photos and the details of approximately 306,000 customers in total. Personal details include name, surname, email address, date of birth, physical address, hashed passwords, and Facebook IDs. Phone numbers and physical addresses were the rarest information compromised, but nearly 100,000 of each were exposed. According to security researchers, a total of 35 countries were included in the user count, with the top three (the US, Canada, and Great Britain) accounting for almost 280,000 of those users. The information was dated from May 2, 2007, to February 6, 2012.
“The public cloud brings a whole host of new issues to which organizations are still adapting. The case of the Reindeer breach raises serious questions about the shared responsibility model and certainly highlights the need for a layered defense,” says Douglas Murray, CEO at Valtix. “When it comes to PaaS services, like S3, organizations must implement network-based access controls and apply security policies to protect against sensitive data exfiltration. These are accepted best practices in the security world, yet most organizations are not applying effective network security in the cloud. A multi-cloud network security platform could have helped simplify and improve security in this case.”