File this report away under “how not to respond to a data breach.” Yes, it has happened again, and this time, to the financial giant, Dow Jones & Company.
The UpGuard Cyber Risk Team discovered a cloud-based file repository controlled by the company that had been misconfigured, allowing semi-public access to it. The repository was discovered on May 30, and the database was secured by the company on June 6. Dow Jones & Company confirmed the leak on July 16, but thus far, have made little effort to notify their potentially impacted customers.
Unfortunately, there may be a lot of them. Based on UpGuard’s estimates and given the size of the database, anywhere from 2.2 million to 4 million Dow Jones customers could have been impacted. If you subscribe to the Wall Street Journal or Barron’s, your name, address and the last four digits of whatever credit card you used to pay for your subscription may have been stolen.
In addition to that, the company maintains a series of interconnected databases called “Dow Jones Risk and Compliance.” This is normally accessible by subscription only, and is used by large financial institutions to help manage risk and deal with compliance issues surrounding anti-money laundering regulations.
According to UpGuard security researcher Dan O’Sullivan, “The data exposed in this cloud leak could be exploited by malicious actors employing a number of attack vectors already known to have been successful in the past. The aversion of Dow Jones and Company to notifying affected customers of this data exposure denies consumers the ability to swiftly act to protect their own personal information.”
With a list of 4 million subscribers to Dow Jones publications, it is not hard to see how malicious actors could deploy phishing messages against exposed customers. Sending official-looking emails purporting to be from The Wall Street Journal or notifying customers that their subscription had lapsed or that their accounts have been compromised, malicious actors could have succeeded in convincing such high-value targets to supply credit card information, login credentials or more.
These days, data breaches are a fact of life, and how a company responds in the face of such an event really matters. Dow Jones & Company will likely be dealing with the fallout arising from their mishandling of the event for months, if not years to come. Don’t use their response as a template for your own should your company find itself in similar circumstances.