SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Personal details of 12,000 social media ‘stars’ leaked in avoidable breach
Tue, 6th Feb 2018
FYI, this story is more than a year old

The UpGuard Cyber Risk Team recently revealed a significant security breach that took place in January this year.

Octoly, a Paris-based brand marketing company inadvertently leaked the personal details of 12,000 social media ‘stars' via an unsecure AWS S3 bucket.

A cloud repository belonging to Octoly was left exposed, revealing a backup of their enterprise IT operations and sensitive operation of the firm's registered online personalities.

Octoly places products made by its brand customers into the hands of its registered social media personalities, with the ultimate goal being to increase number of reviews from vloggers, Instagram stars, and Twitter users trusted by young consumers.

While the company asserts that no money changes hands between the firm, the brands, and these ‘creators' for such reviews, the creators are able to take their pick from a free selection of merchandise offered by Octoly and their brand partners.

Given Octoly needs to be able to send free products to these influential creators - and, for analytical purposes, track the reach and success of such product placements - the company registers these creators within their IT systems, gathering a great deal of personal details, including the creators' contact information.

Such personal information for over twelve thousand people was exposed in the bucket. A table titled “Creators” contains such details as the real names, home addresses, birth dates, and phone numbers of these individuals, many of them known only by their first names or pseudonymously online.

Perhaps the most jarring fact from the situation is that according to UpGuard, Octoly was informed of the exposed cloud repository on January 4th, yet the personally identifiable information was not secured until February 1st.

Bitglass CTO Anurag Kahol says the recent Octoly data breach once again demonstrates the importance of proper configuration and security for cloud services.

“While the growing popularity of public cloud applications has made businesses more flexible and efficient, it has also raised awareness about previously unseen security vulnerabilities. This is because many of the most popular cloud applications provide little visibility or control over how sensitive data is handled once it is uploaded to the cloud,” says Kahol.

“In essence, users are expected to blindly trust that their data is secure. As public cloud adoption rises, organisations must ensure all systems are properly configured and secured – customer privacy and trust depend on it."