Cloud misconfigurations are costing businesses trillions

This month, a Virgin Media database was left accessible online for 10 months placing 900,000 customers' personal information at risk – events like this are all too common
24 March 2020

Virgin Media left 900,000 customer data exposed. Source: AFP

The worldwide public cloud services market is set to rise 17 percent in 2020, netting a market value of US$266.4 billion.

As the adoption rate of cloud technologies climbs rapidly, so too, have data breaches caused by misconfigurations. 

In the last two years, close to 33.4 billion records were exposed due to cloud misconfigurations according to the Ponemon Institute.

The same report pinned the average cost as US$150 per record exposed globally, as a result of associated fines, repairs and lost business. Based on that figure, in 2018 and 2019, breaches would have cost global businesses around US$5 trillion.

This month, a Virgin Media database was left accessible online for 10 months – visible to those who would go looking and probing – placing 900,000 customers’ personal information at risk. 

The database represented about 15 percent of the company’s entire customer base and contained personal details such as phone numbers, home and email addresses, collected for marketing purposes. 

The data breach was not the result of bad actors or hackers; instead, it was a misconfiguration by a staff member that failed to follow the correct procedure, the company stated. It added that it didn’t know if the data had been compromised in that time. 

“Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion, but we do not know the extent of the access or if any information was actually used,” Lutz Schüler, CEO of Virgin Media, said in a press release.

Similar to Virgin Media’s incident, other global brands have fallen victim to cloud misconfiguration and these cases all too often discovered if not by hackers, then by researchers. 

Last year, automaker Honda exposed close to 26,000 vehicle owners’ data. The data was leaked due to a misconfiguration of an Elastisearch cluster and left personally identifiable information (PII) of customers from the US unprotected.

The team was quick to fix and prevent the situation from escalating but, in some cases, a mega data breach could spell the closure of an entire operation.

August 2019 marked the closure of Google+, a consumer-centric platform that allows users to connect and interact. The announcement came after the tech giant discovered a bug in Google+ that had left 500,000 user’s data exposed for up to three years.

The company revealed an additional bug was found in a Google+ API, which exposed the personal data of 52.5 million users. The bug had led Google+ profile data that was private to become accessible, including name, age, occupation, and data shared privately between users. 

The reality is, however, that while there are many high-profile examples of cybersecurity lapses such as these, many will either be left unnoticed, discovered by the company itself and quickly buried, or worse, compromised by malicious actors.

A study by DivvyCloud suggested that mergers and acquisitions (M&A) integrations could be one of the most common reasons for these oversights, while overly-ambitious cloud migration targets and pressures can lead to corners being cut.