Yet another AWS config fumble: Time Warner Cable exposes 4 million subscriber records
US cable giant the latest victim of S3 cloud security brain-fart
Records of roughly four million Time Warner Cable customers in the US were exposed to the public internet after a contractor failed to properly secure an Amazon cloud database.
Researchers with security company Kromtech said freelancers who handled web applications for TWC and other companies had left one of its AWS S3 storage bins containing seven years' worth of subscriber data wide open on the 'net. That data included addresses and contact numbers, information about their home gateways, and account settings.
Just before the weekend, Kromtech said the vulnerable AWS instance was operated by BroadSoft, a cloud service provider that had been using the S3 silos to hold the SQL database information that included customer records.
When Kromtech spotted the repository in late August, it realized that databases had been set to allow public access, rather than limit access to administrators or authorized users.
"It is most likely that they were forgotten by engineers and never closed the public configuration. This would allow anyone with an internet connection to access extremely sensitive documents," Kromtech's Bob Diachenko said.
"Not only could they access the documents, but any 'authenticated users' could have downloaded the data from the URL or using other applications. With no security in place, just a simple anonymous login would work."
The researchers found that the database included information on four million TWC customers collected between November 26, 2010 and July 7, 2017. The exposed data included customer billing addresses, phone numbers, usernames, MAC addresses, modem hardware serial numbers, account numbers, and details about the service settings and options for the accounts.
A spokesperson for TWC parent company Charter said the telly giant was aware of the cockup, and is notifying the customers who were exposed.
"Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them," Charter said. "There is no indication that any Charter systems were impacted. As a general security measure, we encourage customers who used the MyTWC app to change their user names and passwords."
BroadSoft did not return a request for comment.
This wouldn't be the first time errant settings on an AWS S3 instance have left records out in the open. Other poorly configured databases were blamed for leaking data on Chicago voters, Verizon subscribers, and even researchers with the Republican National Committee. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust