Data Storage Accident Puts Over 300,000 Companies At Risk
By: Jim Stickley and Tina Davis
February 1, 2020
Cloud storage data breaches are in the headlines a lot; certainly more than we’d like them to be. Companies using Amazon Web Services (AWS) and MongoDB cloud storage found themselves on the losing end of data exposure. Researchers discovered BIG-IP, a popular load balancing software from F5 Networks, had a serious data vulnerability issue. The flaw put the PII (Personally Identifiable Information) of more than 300,000 businesses using BIG-IP at risk of accidental exposure. Yes, accidental. We most often hear that hackers are behind data theft, but this breach is a result of misconfigured settings that could have been avoided. It adds a whole new level of frustration for those who trust a business will keep their PII protected.
BIG-IP is a popular load balancing software from F5 Networks. Clients use BIG-IP to increase the reliability and capacity of the apps they use to conduct business. Load balancing improves system efficiency by decreasing the overall burden that app use presents to a server. F5’s technology focuses on the security and performance of web apps, data storage, and other network components. The company claims the possibility of data exposure with their BIG-IP customers didn’t come from their software. Instead, F5 says the vulnerability is due to misconfigured iRules. Just another case of playing the blame game. iRules is a traffic management system helping BIG-IP run more efficiently, saying there’s nothing they can do about the flaw. They do admit when iRules are incorrectly configured, they also attract hackers looking to steal data and install malware. The immense popularity of BIG-IP only adds to the amount of those risks.
"Unless an organization has done an in-depth investigation of this technology, there's a strong chance they've got this problem," says Christoffer Jerkeby, F-Secure senior security consultant who discovered the issue. "Even someone incredibly knowledgeable about security that works at a well-resourced company can make this mistake. So, spreading awareness about the issue is really important if we want to help organizations better protect themselves from a potential breach scenario."
Understanding configurations that protect data is vitally important, especially if they are default settings set by the manufacturer. Reviewing and understanding these settings can help prevent accidental exposure, so making the right choice is crucial. If those responsible for these settings feel they aren’t able to properly configure them, they should have a cybersecurity professional evaluate and test the settings. Making sure security patches and updates are installed as soon as they are available also helps address vulnerability flaws. Millions of customers worldwide rely on responsible and effective security management from those in charge of keeping their PII safe.
Earlier this year, AWS and MongoDB data storage services experienced a similar data security situation. Vulnerabilities in both services allowed misconfigured privacy settings leading to a number of accidental breaches. F5 believes BIG-IP users who choose incorrect privacy settings are directly responsible for the inadvertent PII exposure.