More than 2 million records potentially compromised in recent data breach (Image: Shutterstock).

An exclusive Dow Jones & Co. watchlist of more than 2.4 million high-risk clients was unintentionally exposed due to a misconfigured and unsecured Elasticsearch database hosted on Amazon Web Services.

Theb&t apc223 pro directory was discovered Feb. 22, 2019 by security researcher Bob Diachenko, who found it after a third-party company left it open without a password. “Used by eight of the world’s ten largest, global, financial institutions Dow Jones Watchlist is statistically proven to be the most accurate, complete, and up-to-date list of senior PEPs (politically exposed persons), their relatives and close associates,” Diachenko wrote.

The database was left sitting on a public Elasticsearch cluster 4.4GB in size and available for public access to anyone who knew where to look. The

indexed, tagged and searchable list of 2,418,862 records

(some sources place the exposed records as high as four million) included current and former politicians, individuals with alleged criminal histories and possible terrorist links, and companies under sanctions or convicted of financial crimes. The exposed records included names, addresses, locations, birthdates, genders, whether they are deceased or not, and in some cases, photographs.

In a letter published by its stable companion,

The Wall Street Journal

, Dow Jones said, “To date, our extensive review has not uncovered any direct evidence that information was stolen, and we have taken steps to stop the unauthorized access.”

Multiple security experts weighed in on the incident.

“This security lapse from the Dow adds to a growing list of organizations in 2019 that have left Elasticsearch servers unprotected, therefore exposing massive quantities of proprietary data,” Chris DeRamus, CTO, Arlington, Va.-based DivvyCloud, said. “Dow Jones suffered a similar cloud storage misconfiguration two years ago that exposed the information of 2.2 million customers." DeRamus added, organizations must realize the importance of balancing their use of the public cloud, containers, hybrid infrastructure and more with proper security controls.

Carl Wright, chief compliance officer of San Diego-based AttackIQ, observed, “This data breach is particularly egregious for both the lack of very basic protection, a password, and the extremely high degree of sensitivity of the data. There may be people on the list that are innocent, and the risky individuals are now aware they are on the list and can change their tactics to avoid detection in the future.”

Wright suggested because such leaks are often caused by gaps in security programs that can be easily detected and prevented, organizations must take proactive approaches to protect their data through continuous evaluation of their existing security controls.

Anurag Kahol, chief technology officer and founder, Campbell, Calif.-based Bitglass held, “Leaving this information unprotected is both careless and irresponsible – as is failing to address the issue in detail with the public. While all organizations need to defend their data, Dow Jones, in particular, must adhere to the highest of security standards – the type of information that they collect, store, and share demands it.”

The onus is on the enterprise to secure access to the data that is being stored within the platform. “At the most basic level, this requires the use of a password (although this alone is not sufficient for cybersecurity),” Kahol also said.

"The lists of politically exposed persons, terrorists and convicted cybercriminals are compiled and curated from a variety of third-party databases,” Robert Prigge, president, Palo Alto, Calif-based Jumio, contributed. He noted because these lists are used by a variety of companies including Dow Jones, Thomson Reuters (now Refinitiv), and ComplyAdvantage, and contain the names of politically exposed persons and known criminals the effect on the Average Joe will probably be less.

Jake Olcott, VP at Boston-based BitSight, said, "It’s no wonder that third party risk has become the most significant cyberissue for organizations around the globe. More outsourcing has created more risk."

Additionally, Todd Peterson, identity and access management evangelist at Aliso Viejo, Calif.-based One Identity, said, “Compliance doesn’t care who you are. Even the bad guys’ personally identifiable information is subject to regulatory oversight. How are they going to do their ‘jobs’ if everyone knows who they are?”

Kevin Gosschalk, CEO, San Francisco-based Arkose Labs, warned, “The concerning trend of large-scale data breaches is how easy it has become for cybercriminals to weaponize the exposed data with automation in credential stuffing attacks – putting millions of people at risk.” Gosschalk added, companies must discover, track, and monitor their attack surface.

Jonathan Deveaux, head of enterprise data protection at comforte AG, commented: “

Dow Jones & Co.

is yet another example of a company that has failed its customers without taking proper security measures – and twice now. Really, it’s a classic case of a company wanting to invest in the cool technology, in this case Elasticsearch and AWS S3 buckets, but not understanding the security ramifications of that technology.”

Deveaux explained organizations need to adopt data security to protect their data, wherever it may exist or whomever may be managing it on their behalf.

View comments