- Request A Quote
In December 2021, tech publications reported that German headphone maker Sennheiser exposed the personal data of 28,000 customers to potential hackers. The source of the vulnerability? An unsecured Amazon Web Services S3 bucket.
Sennheiser is a world-class brand. We have every reason to assume the company’s IT team is smart, competent, and dedicated. But in this case, they allowed a common and understandable misconception to put their customers’ data—and their brand’s reputation—at risk.
Let’s use this story as an important reminder for your organisation.
AWS (and the other cloud storage providers) won’t automatically secure your data.
Sennheiser’s apparent misconception was believing that by storing their customers’ data in the cloud with AWS, they would also be protecting those digital assets by default. The Amazon team will protect our data stored on their cloud, won’t they? Not necessarily.
Remember, they don’t call it secure cloud storage. They call it a bucket.
When you sign up with one of the major cloud storage companies, you need to investigate the data-protection services the company provides—if any—and to what extent they take responsibility for securing your corporate data.
As a quick refresher: Amazon’s “S3” stands for Simple Storage Service. None of those 3 S’s stands for security.
Also, AWS describes the storage container for S3 data as a “bucket.” That should tell you a lot about how AWS views the division of responsibility for security. They set up a digital container for your data in the cloud—the bucket—and your IT team takes it from there. You’re responsible for what goes into the bucket and for protecting its contents.
Don’t take our word for it. Here’s how Amazon’s AWS Data Protection page describes the breakdown of responsibility for its customers’ cloud data protection:
“With AWS, you control your data by using powerful AWS services and tools to determine where your data is stored, how it is secured, and who has access to it.”
As you can tell from that statement, yes, Amazon offers a menu of data security options you can choose to purchase when you sign up for AWS cloud storage. But those services are separate line items on your agreement, not included in standard storage service.
It is entirely possible to enter into an enterprise contract for storing corporate data with AWS—and have no protections applied to that data. That’s what happened to Sennheiser.
Azure own risk.
In case you’re wondering, Microsoft Azure’s official policy tells a similar story. Here is a statement from their page called Shared Responsibility in the Cloud. (Telling title, isn’t it?)
“For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type.) Regardless of the type of deployment, the following responsibilities are always retained by you:
What does this mean for your company?
If you’re maintaining your corporate data with any of the cloud storage companies, the Sennheiser data leak should serve as a reminder for your team to take a couple of important steps immediately.
First, make sure you’ve applied appropriate security measures to all of the data that you have stored on that provider’s cloud, and make sure those measures are still up and running smoothly. Second, make sure someone—either internal staff at your company, or a trusted third-party vendor—is monitoring that data 24/7.
Caution: If your business is like many of the organisations we talk with here at KeepItSafe, you’ll discover that you are falling short in at least one of those two processes. Either you’ve left some (or even all) of your corporate data unsecured in cloud storage, or you don’t have anyone responsible for keeping an eye on that data to ensure its continued security.
That’s why we recommend conducting this review immediately. And the easiest place to start is by contacting the company currently securing mission-critical corporate data every day for more than 20,000 businesses around the world.
Enter your email below to be notified about new articles.
“Disaster Recovery Planning: Getting from Good to Great”