July Systems data leak: Massive trove of sensitive information exposed online via unsecured database
Over 1,000 usernames and passwords of Unilever managers in India were also exposed as part of the breach.
A massive trove of sensitive data was left freely exposed online by San Francisco-based July Systems. The company's cloud-based location intelligence and engagement platform called "Proximity MX", which contains proprietary information belonging to the firm and its clients, were exposed via unsecured Amazon S3 databases.
There have been numerous massive leaks caused by unsecured S3 buckets over the past year which have exposed incredibly large troves of data from various organisations. Most recently, classified US Army and NSA data was also left exposed, thanks to an unsecured S3 bucket.
According to security researchers at Kromtech, who discovered the three leaky S3 buckets, July System's platform is used by several high-profile companies, including CNN, ESPN, Intel, Toys"R" Us, CBS, Fox, and NBC Universal.
July System's Proximity MX platform connects individuals' digital footprints – in particular, tracking consumer behaviour such as spending. The platform allows the company's clients to engage consumers with relevant offers and promotions and allows the data to be "integrated into existing systems".
According to Kromtech security researcher Bob Diachenko, the data exposed includes security credentials for iPhone and Android apps, repository credentials (that could have potentially allowed anyone access to sensitive client data or tracking data), internal builds and development tools for various clients including NFL, CBS, Amex, NBA, FOX, PGA and more.
Diachenko told IBTimes UK that Kromtech "first spotted two July System related buckets and one Cisco-related bucket on November 20," adding that all of the databases were being updated in real time.
"All three buckets were part of one ecosystem called EMSP," Diachenko told us. " EMSP stands for Enterprise Mobility Services Platform. It can gain valuable customer insights and personalize customer mobile experiences by leveraging a Wi-Fi network. JulySystems partners with CISCO to power EMSP."
"The real issues is that the discovery is part of a much bigger network and exposed passwords that could have been used by cybercriminals to gain access to secured areas of their data infrastructure," Diachenko said in a blog.
The leaky databases also exposed files with names and brands such as "Katy Perry, NFL, NBA,"among others. One of the folders exposed over 1,000 usernames and passwords of Unilever managers in India.
According to Diachenko, the breach was likely caused due to a "human error" which left several of July System's S3 servers without passwords and publicly accessible. It is still unclear whether the databases were accessed by any other third parties. It is also unclear as to how long the company's S3 buckets remained exposed before they were discovered.
Diachenko told us that two of the S3 buckets were secured within a couple of days of July Systems being notified about the breach. However, the Cisco-related server remained exposed for another week before it too was secured.
IBTimes UK has reached out to July Systems for further clarity on the matter and is awaiting a response.