A data breach at the parent company of Reuters exposed more than 3TB of sensitive corporate and customer data. The incident was discovered by security firm Cybernews.
According to the researchers, several database servers used by Thomson Reuters were publicly accessible for days. The servers contained a number of ElasticSearch databases used to store highly sensitive, frequently accessed information. ElasticSearch databases are often used to store large amounts of fluctuating data.
In addition to personal and company data, the researchers found plain-text server passwords and user-client interaction logs. Furthermore, the databases contained internal screenings of platforms like YouTube, customer access logs, connection strings to other databases and password-reset logs.
The error that allowed the databases to be accessed was recently made, Cybernews noted. The researchers indicate that the problem may have been caused by a misconfiguration in an AWS Elastic Load Balancing service. The service reportedly followed several rules that weren’t configured to apply all access control policies. As a result, the service became publicly accessible.
Given the large amounts of sensitive data, the misconfiguration could have major consequences. The servers were publicly accessible for several days and may have caught the attention of malicious bots scouring the internet for open ports and vulnerabilities.
Thomson Reuters closed the databases after being notified of the incident. The data in question allows for a variety of malicious activity, including social engineering, ransomware infections and supply chain attacks.
Thomson Reuters responds
In a statement, Thomson Reuters confirms that the open servers are protected at this time. The publisher claims that the incident is less dangerous than Cybernews indicates.
Two of the affected servers were intended to be publicly accessible. The third server was intended for “application logs from a pre-production/implementation environment”.
Thomson Reuters implies that pre-production data is relatively harmless. In contrast, Cybernews argues that pre-production servers typically host some form of sensitive data.