Unsecured Azure blob exposed 500,000+ highly confidential docs from UK firm's CRM customers • The Register
A business app developer's unsecured Microsoft Azure blob left more than half a million confidential and sensitive documents belonging to its customers freely exposed to the public internet, The Register can reveal.
Information contained in the blob included occupational health assessments, insurance claim documents from US firms underwritten by Lloyds of London, and senior barristers' private opinions about junior colleagues applying for promotion.
No security controls were in place on the Azure blob, meaning it was entirely public-facing, and anyone with the address of the files stored in it could view them without authentication – so they didn't need to log in or pass any kind of security check.
The blob also included FedEx shipment security documentation, internal complaints from foodstuffs firm Huel, an investment management firm, and countless others – and in at least one example seen by The Register a passport scan.
At least one fire brigade stored prospective recruits' pre-joining fitness test results in the blob. Again, this confidential medical data was there for anyone to see
At least one fire brigade stored prospective recruits' pre-joining fitness test results in the blob. This confidential medical data was there for anyone to see
The blob was operated by Surrey-based app developer Probase, and appeared to be in the public cloud underpinning one of its CRM products. It contained 587,000 files, ranging from backed-up emails to letters, spreadsheets, screenshots, and more.
Files viewed by us as we tried to figure out which firm owned the blob - and notify it that it needed locking up - also contained highly sensitive medical data. Some were about people who had applied for jobs with certain fire brigades – while others were occupational health assessments carried out by private medical firms.
The blob's address was passed to The Register by Oliver Hough, an infosec researcher concerned about the lack of security controls on it. He expressed hope that it would be closed off as soon as its owner was identified.
Hough told The Register: "Finding a storage bucket like this where a provider has lumped all of their clients' files in a single bucket rather than creating separate storage for each client demonstrates how, in 2020, the basics of secure design are still not being followed."
Occupational health assessments completed by doctors were also in the blob with no security controls preventing people from reading them
Occupational health assessments completed by doctors were also in the blob with no security controls preventing people from reading them
In a statement, Probase director Paul Brown told The Register: "We are working closely with the Information Commissioner's Office at present and advise we have no further comment at all."
Brown would not comment on how long the blob had been left unsecured, though files inside dated back to 2013. We have asked the ICO to comment.
One Probase customer is Huel, the liquidised foodstuffs company, which used a complaints-tracking system that appeared to be fed into the unsecured Probase blob. El Reg was able to view emails relating to a customer complaint about too many beans in a batch of Huel's dried product – and the supplier's response to Huel's concerns.
Huel appears to use a Probase-made application for internal tracking of complaints about its products. This email chain was freely viewable to all
Huel appears to use a Probase-made application for internal tracking of complaints about its products. Again, this email chain was freely viewable to all
Another customer was the QC Appointments company that decides which junior barristers are awarded promotion to the senior rank of Queen's Counsel. The Register was able to freely view comments submitted by the most senior barristers and judges in the land on whether their junior colleagues were suitable for promotion – or not.
The QC Appointments panel's supposedly private feedback proformas, as well as internal emails, were published on the blob for anyone to read at their leisure
The QC Appointments panel's supposedly private feedback proformas, as well as internal emails, were published on the blob for anyone to read at their leisure
Russell Warman, head of the QC Appointments company, told The Register: "Thank you for drawing this to our attention. We're making enquiries as a matter of extreme urgency."
We understand that Probase has begun informing its customers of its security failure. The blob has been closed off to public access.
A number of US insurance companies appeared to be using a CRM product that copied customer letters to the Probase blob
A number of US insurance companies appeared to be using a CRM product that copied customer letters to the Probase blob
Other customers appeared to include both the Halal and Kosher certification bodies, which issue certificates to food suppliers confirming that their goods meet the Islamic and Jewish faiths' respective religious requirements.
Dave Barnett, head of edge protection at infosec vendor Forcepoint, told The Register: "It is fair to say not all cloud and mobile initiatives have had data privacy front of mind. What these breaches show us is that the balance between privacy and ease of access is not there yet. Whether from accidental or intentional loss, the bottom line is that our medical records describe who we are and that information is of great value to an attacker. If you lose your credit card number you can get another relatively easily, but we each only have one set of very personal medical records and any loss here is permanent."
Azure blob security has historically had a lower profile than AWS S3 buckets. With more and more evidence emerging that devs using Azure are relying on security through obscurity rather than proper access controls, it is to be hoped that IT admins start paying closer attention to their essential duties.
Customers trust the companies they deal with to take their security seriously. In turn, those companies trust their IT suppliers to secure their customer data properly, especially if it's being stored in the cloud. If you've got an Azure blob or an AWS bucket under your management, double-check your access controls before you knock off for Christmas
Information contained in the blob included occupational health assessments, insurance claim documents from US firms underwritten by Lloyds of London, and senior barristers' private opinions about junior colleagues applying for promotion.
No security controls were in place on the Azure blob, meaning it was entirely public-facing, and anyone with the address of the files stored in it could view them without authentication – so they didn't need to log in or pass any kind of security check.
The blob also included FedEx shipment security documentation, internal complaints from foodstuffs firm Huel, an investment management firm, and countless others – and in at least one example seen by The Register a passport scan.
At least one fire brigade stored prospective recruits' pre-joining fitness test results in the blob. Again, this confidential medical data was there for anyone to see
At least one fire brigade stored prospective recruits' pre-joining fitness test results in the blob. This confidential medical data was there for anyone to see
The blob was operated by Surrey-based app developer Probase, and appeared to be in the public cloud underpinning one of its CRM products. It contained 587,000 files, ranging from backed-up emails to letters, spreadsheets, screenshots, and more.
Files viewed by us as we tried to figure out which firm owned the blob - and notify it that it needed locking up - also contained highly sensitive medical data. Some were about people who had applied for jobs with certain fire brigades – while others were occupational health assessments carried out by private medical firms.
The blob's address was passed to The Register by Oliver Hough, an infosec researcher concerned about the lack of security controls on it. He expressed hope that it would be closed off as soon as its owner was identified.
Hough told The Register: "Finding a storage bucket like this where a provider has lumped all of their clients' files in a single bucket rather than creating separate storage for each client demonstrates how, in 2020, the basics of secure design are still not being followed."
Occupational health assessments completed by doctors were also in the blob with no security controls preventing people from reading them
Occupational health assessments completed by doctors were also in the blob with no security controls preventing people from reading them
In a statement, Probase director Paul Brown told The Register: "We are working closely with the Information Commissioner's Office at present and advise we have no further comment at all."
Brown would not comment on how long the blob had been left unsecured, though files inside dated back to 2013. We have asked the ICO to comment.
One Probase customer is Huel, the liquidised foodstuffs company, which used a complaints-tracking system that appeared to be fed into the unsecured Probase blob. El Reg was able to view emails relating to a customer complaint about too many beans in a batch of Huel's dried product – and the supplier's response to Huel's concerns.
Huel appears to use a Probase-made application for internal tracking of complaints about its products. This email chain was freely viewable to all
Huel appears to use a Probase-made application for internal tracking of complaints about its products. Again, this email chain was freely viewable to all
Another customer was the QC Appointments company that decides which junior barristers are awarded promotion to the senior rank of Queen's Counsel. The Register was able to freely view comments submitted by the most senior barristers and judges in the land on whether their junior colleagues were suitable for promotion – or not.
The QC Appointments panel's supposedly private feedback proformas, as well as internal emails, were published on the blob for anyone to read at their leisure
The QC Appointments panel's supposedly private feedback proformas, as well as internal emails, were published on the blob for anyone to read at their leisure
Russell Warman, head of the QC Appointments company, told The Register: "Thank you for drawing this to our attention. We're making enquiries as a matter of extreme urgency."
We understand that Probase has begun informing its customers of its security failure. The blob has been closed off to public access.
A number of US insurance companies appeared to be using a CRM product that copied customer letters to the Probase blob
A number of US insurance companies appeared to be using a CRM product that copied customer letters to the Probase blob
Other customers appeared to include both the Halal and Kosher certification bodies, which issue certificates to food suppliers confirming that their goods meet the Islamic and Jewish faiths' respective religious requirements.
Dave Barnett, head of edge protection at infosec vendor Forcepoint, told The Register: "It is fair to say not all cloud and mobile initiatives have had data privacy front of mind. What these breaches show us is that the balance between privacy and ease of access is not there yet. Whether from accidental or intentional loss, the bottom line is that our medical records describe who we are and that information is of great value to an attacker. If you lose your credit card number you can get another relatively easily, but we each only have one set of very personal medical records and any loss here is permanent."
Azure blob security has historically had a lower profile than AWS S3 buckets. With more and more evidence emerging that devs using Azure are relying on security through obscurity rather than proper access controls, it is to be hoped that IT admins start paying closer attention to their essential duties.
Customers trust the companies they deal with to take their security seriously. In turn, those companies trust their IT suppliers to secure their customer data properly, especially if it's being stored in the cloud. If you've got an Azure blob or an AWS bucket under your management, double-check your access controls before you knock off for Christmas