Dow Jones customer data exposed in cloud error

Dow Jones customer data exposed in cloud error
© Getty Images

Data on millions of Dow Jones customers was potentially exposed to unauthorized access on Amazon Cloud due to a configuration error, a spokesman for the publishing and financial information giant confirmed Monday. 

The spokesman told The Hill that personal data on 2.2 million customers had been over-exposed on Amazon Cloud as a result of an internal error. There is no evidence that malicious actors accessed the information, however. 

ADVERTISEMENT

The data included customers’ names, email addresses and some financial details — including the last four digits of some credit cards — though Dow Jones said that neither full account login credentials nor full credit card information was exposed. 

“This was due to an internal error, not a hack or attack,” the spokesman said. “We have no evidence any of the over-exposed information was taken.” 

Cybersecurity firm UpGuard discovered the exposure and notified Dow Jones of it in early June. Those affected include subscribers to Dow Jones publications like The Wall Street Journal. UpGuard put the number of affected accounts closer to 4 million. 

When asked whether the company had notified customers caught up in the data exposure, the Dow Jones spokesman indicated that the information was not sensitive enough to require it. 

“The customer information included basic contact information; it did not include full credit card or account login information that could pose a significant risk for consumers or require notification,” the spokesman said. 

However, UpGuard argued in a blog post published Monday that the data “could be exploited by malicious actors employing a number of attack vectors already known to have been successful in the past,” such as phishing scams tailored to individual targets. 

UpGuard also discovered that exposed data was related to the Dow Jones Risk & Compliance databases, which are used primarily by financial organizations to comply with anti-money laundering, anti-bribery and other regulations. 

Dow Jones said that the exposed risk and compliance data included only publicly available information, such as that from news articles, and not customer information. 

The Amazon Cloud repository was inadvertently configured to allow for “semi-public” access, letting any authenticated user of Amazon Web Services (AWS) download the data, UpGuard said. That included any user who has a free Amazon AWS account. 

The information on the exposure was passed on to Dow Jones on June 6, and the company’s cybersecurity firm worked to secure the data in less than two hours, the Dow Jones spokesman said.

“We immediately secured the data once we became aware of the problem. We take the security of Dow Jones information very seriously,” the spokesman added. 

The Wall Street Journal first reported the data exposure on Sunday.

The revelation comes a week after a cloud server problem resulted in personal information on as many as 14 million Verizon customers being publicly accessible.