Location Intelligence Company Leaks Multiple Repositories Full of Data OnlineBack to blog
The Kromtech Security Center has discovered at least 3 Amazon S3 repositories (‘buckets’) that appear to belong to San Francisco based July Systems.
In today’s world we are more connected to devices and data than ever before and the value of data collection is now transforming to be more targeted for advertising and engagement, but with the advancement of data collection also comes the dangers of storing it securely. July Systems have developed a platform to revolutionize how physical spaces are connected and data is monitored. This cloud based platform also contains what appears to be proprietary information that competitors could easily use to get an edge on the business and undermining years of research and development. Now imagine that a simple misconfiguration has left multiple repositories publically available to anyone with an internet connection?
The company's platform and mobility solutions are used by companies including CNN, ESPN, Intel, Toys"R"Us, CBS, Fox, and NBC Universal.
July Systems was founded in 2001 and found a niche in emerging technology products through their Location Intelligence and Engagement Platform called “Proximity MX”. The goal is to connect physical spaces to a cloud software platform that engages with visitors, gathers data and then shares that data with existing digital systems. July Systems Inc. is headquartered in Burlingame, California with a global development center in Bangalore, India and researchers have discovered data that appears to come from both locations.
The concept is that visitors are considered a “digital ghosts” when they go to a shopping mall, hotel, business center or any physical location. However, they leave behind many digital footprints and what Proximity MX does is connect with them, tracks activity, engages with them using things like offers and promotions, and allows this data to be integrated into existing systems.
What the data leak contained
The misconfigured Amazon AWS “Buckets” were mistakenly left open by administrators who set the repositories to public instead of private. This would allow anyone with an internet connection to view or download thousands of files belonging to July Systems and its clients. The real issues is that the discovery is part of much bigger network and exposed passwords that could have been used by cyber criminals to gain access to secured areas of their data infrastructure.
Security Certificates for iPhone and Android Applications
Repository Credentials - This could have potentially given access to additional areas of the network or sensitive client or tracking data.
Folder Titled AMEX - 989 XLS files inside showing targeted offers, original & discounted prices, how many total impressions, shopper impressions. This gives a very clear understanding of how their customer engagement works and shows in exact numbers.
Assets.mo2do: Folders with names and brands like Katy Perry, NFL, NBA and many others. There were CSS files, scripts and other campaign specific data.
Their “Feed Recorder” was also available when the vulnerability was first discovered, but was closed after security notification has been sent to July Systems.
It contained the internal builds and development tools for a number of July System clients such as NFL, CBS, Amex, NBA, FOX, PGA and more. One of the folders even contained 1,000+ user logins and passwords for Unilever users in India
One of the folders contained more than 1 thousands usernames and passwords for Unilever managers in India.
The Danger of a Misconfigured Repositories
According to their website they ensure that the data they collect is secure & compliant and conforms to the highest levels of compliance and global regulations.
ISO 27001:2013 and SOC 2 Type I Compliant
Data Privacy & PII Compliant
Although their data privacy and security measures appear to be up to industry standards, it was most likely a simple human error that resulted in several Amazon Web Services S3 storage servers that required no password to access. This error is what makes these types of leaks so difficult to manage or identify.
In October 2017 the Kromtech Security Center released a free tool that allows administrators to check if their Amazon AWS S3 buckets are exposed to the public. Data leaks appearing from misconfigured AWS S3 buckets will continue to be a massive problem. Companies and organizations who store sensitive data must focus on every aspect of data security. Auditing and monitoring security trends is also important, but cloud storage repositories need to be monitored as well. Kromtech’s free scanning tool is a good way for administrators to check whether the data is secure or not.