An improperly configured Azure blob belonging to CRM solutions developer ‘Probase’ has exposed 587,000 documents containing extremely sensitive information from a wide range of firms and industries. The blob was made public and had no password protection in place, so anyone with a web browser could have accessed and even downloaded the documents.
That would include medical data, emails, letters, spreadsheets, screenshots, insurance claims, promotion process feedback, drug and alcohol test results, occupational health assessments, and various other information that was not meant to be accessed by third parties.
The finding came from security researcher Oliver Hough, who tipped The Register about it. The man was shocked to find that Probase was shoving the data from all its clients into a single bucket, a very bad security practice that has grave repercussions if that bucket is compromised.
Hence, Probase hasn’t only made a mistake, but they were also following bad practices that magnified the negative effect of their configuration error. If they had kept their client data stored separately, the data exposure would be almost insignificant.
Probase director Paul Brown stated that they contacted the ICO (Information Commissioner’s Office), and that’s about it. No details about when the configuration error may have taken place were provided, and it also appears that the clients were left in the dark too. The Register reached out to a couple of firms like ‘QC Appointments,’ who thanked them for bringing the matter to their attention. With the publicity of the event taking off, Probase will be obliged to send notifications of a breach to all of its clients now.
Azure Blob is a cloud storage solution that may not enjoy the popularity of AWS buckets, but it’s on the rise without a doubt. The days when admins could rely on “security through obscurity” are long gone, and proper security practices are called for today.
To ensure that you have done things right, check this list which comprises key security recommendations compiled by Microsoft, and apply everything on your blob storage. Remember, especially for smaller firms, this could be what makes the difference between having a proliferating business and shutting down in debt from data-protection fines.