Online marketing company exposes 38+ million US citizen records:
The CyberNews research team discovered an unsecured data bucket that belongs to View Media, an online marketing company. The bucket contains close to 39 million US user records, including their full names, email and street addresses, phone numbers and ZIP codes.
The database was left on a publicly accessible Amazon Web Services (AWS) server, allowing anyone to access and download the data. Following the 350 million email leak covered by CyberNews earlier in August, this is the second time this summer we encountered an unsecured Amazon bucket containing such massive amounts of user data.
On July 29, the exposed View Media bucket was closed by Amazon and is no longer accessible.
[...] The unsecured Amazon S3 bucket appears to belong to View Media, an online marketing company that specializes in email marketing, display advertising, design, hosting, direct mails, date sales, and other digital marketing services. The company offers targeted marketing services to American publishing brands like Tribune Media and Times Media Group.
Apart from millions of user records, the bucket also contains thousands of marketing newsletters, promotional flyer designs, banner ads, and statement of work documents created by View Media for its clients.
[...] Because we were initially unable to identify the owner of the unsecured bucket, we contacted Amazon on July 27 to help them secure the database. They were able to close the bucket on July 29.
We then reached out to one of the marketing company's clients mentioned in the statement of work documents that were stored on the bucket, who helped us identify View Media as the owner of the database on August 21. On August 24, we contacted View Media for an official comment regarding the leak. However, we received no response from the company.
(Score: 1, Troll) by legont on Tuesday September 15 2020, @02:33PM (7 children)
If I were the poor Indian who worked on this project, I'd be on a flight home already.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by Freeman on Tuesday September 15 2020, @04:28PM (6 children)
What makes you think, it hadn't been outsourced to begin with?
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Insightful) by Anonymous Coward on Tuesday September 15 2020, @05:39PM
What makes you think it wasn't some old white dude more interested in greed than ethics?
(Score: 2) by legont on Wednesday September 16 2020, @04:10AM (4 children)
There got to be someone here who can be held responsible. My suggestion was for them.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by Freeman on Wednesday September 16 2020, @03:04PM (3 children)
Who better to blame than some coder that's not even in the country?
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by legont on Wednesday September 16 2020, @03:08PM (2 children)
Well, one got to go to prison. That's the idea of the punishment.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by legont on Wednesday September 16 2020, @03:11PM
Let me elaborate. If say Assange were different and actually tried to hid his identity, the US would simply find somebody local to put in prison as opposed to the extradition troubles.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by Freeman on Wednesday September 16 2020, @03:14PM
Right . . . , because so many companies have been held liable for their data breaches. Whether due to negligence, malice, or otherwise. This is another blip on the radar and no one will care come Monday.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2, Interesting) by fustakrakich on Tuesday September 15 2020, @03:06PM (2 children)
Why would they respond? Take the money and run, babe.
So, is there anything to say that hasn't been said a million times?
La politica e i criminali sono la stessa cosa..
(Score: 2) by RS3 on Tuesday September 15 2020, @03:21PM
If they had a sense of humor they could respond: D'oh!
(Score: 0) by Anonymous Coward on Tuesday September 15 2020, @06:14PM
the email probably went to some fat windows-using lady who was scared the email was a "hacking" attempt.
(Score: 5, Interesting) by Rosco P. Coltrane on Tuesday September 15 2020, @04:20PM (8 children)
Companies should be held legally accountable for the security of the data they harbor. When they suffer a data breach, they should be dragged in court and asked to prove they did everything in their power to implement proper network adminstration. If they did, they in turn should be able to shift the legal burden onto whoever provided the software or hardware that allowed the incident to happen. If they didn't, someone in charge should be doing hard time.
I guarantee you, a simple law like that would immediately kill off 3/4th of the fly-by-night marketing companies that have been plaguing the internet for the past 30 years. And the rest would suddenly become a lot more diligent.
(Score: 0) by Anonymous Coward on Tuesday September 15 2020, @04:24PM
Pretty much, if they'd stop hoovering up all the data that they do, it would greatly cut down on the severity of these issues. But, that's not going to happen, they like collecting all this data above and beyond what they need.
After that, holding them accountable for how they handle the data is definitely called for and as you suggest only allowing them to shift or deflect responsibility.
(Score: 1) by fustakrakich on Tuesday September 15 2020, @05:16PM
Make it illegal to put the database on the WAN. No database should have a direct connection. Use sneakernet to run floppies between the two networks. Any leakage then would have to be intentional.
La politica e i criminali sono la stessa cosa..
(Score: 5, Interesting) by Thexalon on Tuesday September 15 2020, @06:38PM (1 child)
I agree the penalties are extremely insufficient: For a simple example, Equifax is still in business and doing just fine after exposing the detailed financial information of a majority of the adults in the US.
Your proposal sounds great, but the problem is that that doesn't change the short-term decision-making of anybody who might benefit from collecting the data, nor does it prevent them from taking the money and running and successfully blaming any failures on a low-level scapegoat employee or intern.
The approach I've suggested before, and will continue to suggest, is that companies should have to purchase insurance against the expenses associated with a data breach, with payouts going to the third parties affected by the breach. For a small business with the records of the last few months of customer purchases stored on a hard drive in their office, that's going to be a low cost. For companies with millions of detailed records on everybody stored on a cloud server $DEITY-knows-where, that's going to be a very high cost. Insurers would do what insurers do, namely evaluate the risks, put a price on them, and charge businesses that plus a bit more as a profit margin. There's several major benefits to this:
1. It provides a ready-made argument in corporate discussions for why data should either be deleted or not collected in the first place: "But that will increase our monthly data-breach insurance premiums by $X, so we shouldn't do that unless we know it would make more than $X."
2. It creates a profit incentive to invest in securing what data the company does decide to keep: "Approve this network security project, and we can save $Y on our data-breach insurance premiums annually."
3. The insurance companies would be keeping track of what behaviors from their customers actually result in payouts, and thus we'd have for the first time some sort of empirical studies to point to about what works and what doesn't work in data security. Right now, what we have is PHBs taking the answer of either salespeople or people who do a good job of playing the part of security experts, regardless of whether those answers are right about anything.
4. Especially on bigger accounts, it's in the interests of the insurance companies to do their own audits and ensure that their customers are doing what they say they're doing with data and testing those customers' security, so we'd have in many cases for the first time security audits being performed by somebody who has a financial incentive to find and fix all their problems rather than security audits being performed by someone with an incentive to check the box and pretend that none of the problems discovered exist.
5. If there is a data breach, there's a consistent plan in place for what will have to be paid out, to whom, for how much, as opposed to the current system where companies either deign to give out something to avoid being sued, or they get sued and nobody but the lawyers gets much of anything.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by Common Joe on Tuesday September 15 2020, @06:46PM
Keep suggesting. It may be complicated and expensive, but it's one of the best ideas I've seen to grapple the problem because it puts an actual financial cost onto the guilty parties.
(Score: 1, Insightful) by Anonymous Coward on Tuesday September 15 2020, @06:39PM
The U.S. needs an equivalent GDPR. Not one crafted by big business with no teeth.
(Score: 3, Touché) by fakefuck39 on Wednesday September 16 2020, @03:18AM (2 children)
you want companies to be held accountable for leaking basic publicly available information, which is what was "leaked" here? So I get a yellow pages, put the data into an excel file, and hide the file behind a password. If someone is able to grab that file from me, I owe you money? get the fuck outta here bitch.
(Score: 2) by Joe Desertrat on Wednesday September 16 2020, @10:34PM (1 child)
If that was the extent of the problem no one would care. That is information that has already been put out there, by choice of the subject. If you gather it up yourself from sources like the Yellow Pages and sell it you might be guilty of copyright infringement or plagiarism, but any losses due to that are born entirely by the original publishers of that presumably ethically acquired information.
If I sign a deal with Yellow Pages to release certain information to the public in order to attract more business, I really don't care how or how far it spreads, as long as I get more business. But if Yellow Pages collects and by negligence or malice exposes more information than that about me, supposedly private information such as contract details, banking information, private phone numbers, etc., suddenly there is a real problem that might end up costing me, and yes, Yellow Pages should be liable for that.
(Score: 2) by fakefuck39 on Thursday September 17 2020, @03:15PM
lol you don't have to sign a deal with the yellow pages to have your business listed. you sign a deal if you want a promoted ad placed there. and no, your address/phone/email is not subject to copyright, and you can't plagiarize facts. those were the only things leaked here.
(Score: 0, Interesting) by Anonymous Coward on Tuesday September 15 2020, @05:43PM
Ad blocking and data-collection blocking is absolutely mandatory in todays world. Anyone saying otherwise is either a sheep (who blindly repeats whatever they're told and can't analyze it for themselves) or wants to make money by selling you. Nazi Germany would have won the war if their motivation was this kind of data collection. (Driving the point home on how this data can be used)