At least fifty Dutch companies and organizations have not properly configured access to their cloud environment. This leaves personal data of Dutch citizens up for grabs for hackers and cybercriminals. Most likely, this is just the tip of the iceberg and several companies have the back door to their cloud open.
This is according to research by BNR (1). The editors used the Gray Hat Warfare scan tool to uncover the poor configuration at dozens of Dutch companies.
The cloud is an ideal and secure place to store backup files and other business information. The only condition is that these data are not publicly accessible. Dutch companies and organizations fall short in this respect, according to BNR. Dozens of parties -the editors speak of at least fifty companies- have taken insufficient measures to keep company data safe in the cloud.
To err is human, but because of this mistake, confidential company and customer private data is freely available to anyone. BNR cites Sunweb, among others, as an example. The travel company had stored more than two thousand resumes and cover letters in the cloud. Because these were not properly protected, anyone could access them.
Resumes and cover letters of applicants were also public at wellness center Thermen Resorts. B&F Casting, which annually helps more than 15,000 extras find work in Dutch TV and film productions, had stored hundreds of scripts, briefings, resumes and signed contracts in the cloud without properly shielding them.
BNR's editors approached all fifty companies and organizations whose cloud was misconfigured. About half took immediate action and still protected the cloud environment from unauthorized access. Eighteen companies did not respond to BNR's message. The remaining eight found it unnecessary to take measures because no sensitive files were stored in the cloud.
At Sunweb, security protocol took effect. According to a spokesperson, the documents accidentally ended up in the cloud. Three years ago, in fact, the recruitment software was moved to the cloud environment. All resumes and cover letters were immediately deleted. Thermen Resorts and B&F Casting also say they have since taken measures to prevent a recurrence.
Experts warn that Dutch companies should be careful with their data in the cloud. They often think that the cloud service provider is responsible for security. However, that responsibility lies with them.
Eward Driehuis, president of cybersecurity community CSIRT Global, suspects that the 50 servers found are just the tip of the iceberg. "The problem is perhaps a thousand times bigger," he told BNR.
Editors discovered that it was possible to upload data at one company. An unforgivable mistake, emphasizes Roos Dijkxhoorn, founder of cybersecurity company Purasec. This is because it makes it very easy for hackers and cybercriminals to upload ransomware or other malware.
smuggling in. The server of the company in question has since been secured.
Two weeks ago, BNR reported that jewelry chain Brandfield (2) faced a data breach. The retailer had stored a backup of customer data in Google's cloud. This was not protected, so anyone could access this data without a password. At issue was data from some 60,000 customers who had placed orders between 2018 and 2020.
The cloud server in question was immediately disconnected from the Internet. The incident was reported to the Autoriteit Persoonsgegevens. All customers have been informed by the jewelry chain. Operations director Bas Beukers said he was greatly shocked by the incident. "We are not happy about it. But let this be a warning to others," he said of the incident.
Security experts believe that Brandfield has fallen seriously short. "Cloud storage is actually better secured than traditional storage. But then you have to make sure yourself that not just anyone has access," said Simon Besteman, director of the Dutch Cloud Community. Dave Maasland, CEO of cybersecurity company ESET Netherlands, warned that the data is "a gold mine" for hackers and can be well used for phishing. The solution in his view is to create more awareness.
(1) https://www.bnr.nl/nieuws/technologie/10541786/tientallen-open-servers-bij-nederlandse-bedrijven-gegevens-op-straat
(2) https://www.vpngids.nl/nieuws/groot-datalek-bij-juweliersketen-brandfield/
