Exclusive A Cayman Islands-based investment fund has exposed its entire backups to the internet after failing to properly configure a secure Microsoft Azure blob.
Details of the fund's register of members and correspondence with its investors could be freely read by anyone with the URL to its Azure blob, the Microsoft equivalent of an Amazon Web Services S3 storage bucket.
As well as publicly exposing who its shareholders are, how many shares they hold, and the value of those holdings, the fund – which The Register is not naming after it agreed to talk in depth about its incident response process – had also saved a scanned copy of its online banking PIN to the blob. The Register viewed a subset of files from the blob to confirm their ownership and authenticity.
The fund's online banking PIN was one of the files anyone could have viewed on its unsecured Azure blob
The blob address was indexed by a specialised search engine and was pointed out to The Register by an incredulous infosec source who wisecracked: "Money money money... must be funny... in a rich man's world."
The unnamed fund's incident response consisted of disregarding the initial notification from The Register before asking a staffer with a compsci degree if he thought there was cause for concern. Luckily, that person realised what we were trying to tell them.
The fund's register of members (shareholders) – one of the things that Cayman Islands companies are not obliged to file with local authorities in the British Overseas Territory
He said: "We use Azure for our server backup, it's not our day-to-day server: people have set that up for us as a backup for disaster recovery and so on."
The person, who described himself as a compsci grad with a strong maths background, said his bosses asked him to look at our email again just in case there was something more to it "than a phishing attempt".
Sensitive internal documents including itemised bank statements could be viewed by anyone on the Azure blob
Documents seen by The Register in the unsecured blob stretch back years and include: scans of directors' passports; letters to and from investors including commented files sent during commercial negotiations; term sheets; share certificates (including blank copies); documents signed by its directors and more.
The compsci chap continued: "This was the [backup] solution provided by our IT vendor in Hong Kong which we saw as fairly normal cloud provision. Clearly there's some security issue there!"
Not only were completed share certificates scanned and uploaded but also blank copies, along with directors' signatures
He also added that the fund's IT provider had removed all of its files from its Azure blob as a result of the breach, while expressing some doubts about the IT provider's claim that Microsoft had ignored their requests for help over the weekend.
The fund, which falls into the smaller end of the SME bracket when judged on headcount, appears to have the same level of in-house IT expertise as any other small firm whose main business is not focused on IT; not a lot. They were completely unaware of how Azure operated or how their files had been exposed to anyone with a web browser and appeared to be totally reliant on their IT provider for everything other than basic office productivity software.
One of the fund's directors had scanned all the identity pages of his passport. This was indexed by a search engine for anyone to view and copy
The firm claims to have $500m under management, with its investors including sovereign wealth funds, prominent financial institutions, corporations and family offices. One of its investors is Rothschild & Co, the well-known investment bank. While Rothschild did not respond to our request for comment, it did pass El Reg's request to the fund, alerting it to its Azure woes.
Azure blob misconfigurations have been rather lower profile than publicised isses with AWS S3 buckets but, like Amazon, Microsoft has rolled out tools for checking one's storage is secure. Such tools are only useful if they're actually, you know, used.
Last year an Automated Number Plate Recognition (ANPR) operator in the UK left millions of CCTV images accessible online from an unsecured Azure blob that, like this fund's setup, had no login or authentication controls applied to it. ANPR typically works by applying image-recognition software to photos captured by bog-standard CCTV cameras; in that case the raw images were stored in a location that was accessible to anyone with a web browser.
Aaron Zander of HackerOne commented to The Register: "In the past year, hackers on the HackerOne platform earned $260,000 in bounties for misconfiguration-related vulnerabilities."
Just because it ain't AWS doesn't mean it can't be left unsecured. ®