Internet service providers are supposed to be extremely careful when it comes to data security, but a recent vulnerability has led to the exposure of high volumes of confidential data.
Sources confirmed that Pocket iNet, an ISP based in Washington which is known among customers for providing home broadband, video streaming and other relevant services, had exposed over 73 gigabytes of corporate data due to improper configuration in the Amazon S3 storage configuration.
The news was first confirmed by cybersecurity firm UpGuard, and because of their timely notification, it was possible to find leaks before even more confidential data was released.
The firm identified that the ISP had wrongly configured the Amazon S3 storage bucket, which in turn allowed any third-party user or organization to easily access and download the information stored online.
By default, these actions were supposed to trigger an authorization request, but the erroneous configuration allowed anyone to do it without having to provide administrator details.
One of the Leading ISPs That Lapsed in Security
With tons of user and company information being stored on their AWS services and being transacted on a daily basis, internet service providers should put customers’ security first. Pocket iNet is known for the technology that they use in terms of internet speed, local fiber and IPv6 adoption.
It was contradictory to find that the company has leaked such huge data as they failed to focus more on the security factor.
In their official blog post, the security firm, UpGuard, wrote that it was mainly the employees at Pocket iNet who were affected as many passwords in plain text along with AWS secret keys were leaked.
The leaked content also included internal network diagrams, configuration details and inventory lists.
Some photographs of the equipment used by Pocket iNet got leaked as well, which should give a clear idea to the competitors of the type of routers, towers and cable models the company used to provide their services.
While every security firm and researcher has been urging to use stronger passwords, it was once again revealed that majority of the passwords used by the company’s employees were simply root or admin.
This allowed them instant access to sophisticated computer systems of the ISP, but these simple passwords were highly vulnerable in that anyone could guess the codes and use them to gain access to their services, as mentioned the report.
Pocket iNet Security Lapse Leaked Corporate Information
UpGuard notified Pocket iNet immediately after finding they had not configured their AWS properly.
In theory, anyone on the internet now has access to the usernames, passwords and links to access confidential servers and towers within the ISP’s network.
The leaked data is far more serious because it was not only the company but their priority customers, other corporate firms including the Lourdes Medical Center, Richland School District, Toyota and Lockheed Martin, also lost some of their data.
The ISP, according to the security firm, was not as quick to respond as they took nearly seven days to bring the issue under control.
The issue prevailed with a publicly exposed bucket titled “pinapp2” which carried approximately 73GB of data.
UpGuard noted that a particular folder labeled “tech” was easily downloadable. This folder contained the sensitive data that was exposed in the leak.
UpGuard’s Effort to Control the Situation
Further in their statement, the security firm and its team of researchers confirmed that they repeatedly kept calling and sending emails to the people at Pocket iNet to secure the bucket as soon as possible.
They tried to speed things up by directly downloading information from the leaked AWS data and calling important staff within the organization.
The team assumed it will show the severity of the issue and force them to quickly close it.
In a media statement, Pocket iNet clarified that the single folder which got leaked was accessible to Amazon administrative users without possessing any administrator rights.
In a separate press release on the matter, Pocket iNet further added that the information that got leaked was outdated and would not affect users of the ISP. Customer data including financial information and other such details are completely safe, according to Pocket iNet’s statement.
They have initiated a company-wide analysis to ensure their digital data is secure and promised to keep a close watch so that no such leak occurs in the future.