A recently discovered breach exposed data on almost every one of Ecuador’s approximately 17 million citizens, including 6.7 million children. Aside from the scale, this breach is making front-page news for the sheer breadth of exposed information. The exposed files contained official government ID numbers, phone numbers, family records, marriage dates, education histories and work records.
This breach was made possible by a vulnerability on an unsecured AWS Elasticsearch server – where Ecuador currently stores some of its data. This data breach reinforces the importance of understanding the security controls a chosen cloud provider has in place and what organizations may need to do to augment those policies and procedures.
Most cloud providers operate under a shared responsibility model, where the provider handles security up to a point and, beyond that, it becomes the responsibility of those using the service. Public cloud providers provide straightforward guidance on their shared responsibility models for security and compliance in cloud environments, but the unfortunate reality is that this guidance often gets ignored.
In fact, recent data from the CyberArk annual Global Advanced Threat Landscape report found that 75% of respondents rely primarily on cloud providers’ built in security and around half of organizations don’t have a strategy in place for securing privileged data and assets in the cloud. This represents an open door for malicious actors.
Ecuador isn’t the only government to expose its citizens’ data through an unsecured cloud server and probably won’t be the last. A similar Elasticsearch server exposed the voter records of approximately 14.3 million people in Chile, around 80% of its population.
As more and more government agencies look to the cloud to help them become more agile and better serve their citizens, it’s vital they continue to evolve their cloud security strategies to proactively protect against emerging threats – and reinforce trust among the citizens who rely on their services.