Dow Jones and Company, publisher of the Wall Street Journal, exposed sensitive personal and financial details of millions of its company’s customers, including Wall Street Journal subscribers.
According to a report from cybersecurity firm UpGuard, a misconfigured server containing customer data allowed “semi-public access” to as many as four million accounts. Dow Jones has confirmed at least 2.2 million customers were affected.
According to UpGuard, the exposed data includes names, addresses, account information, email addresses, and last four digits of credit card numbers. An additional 1.6 million entries from the Dow Jones Risk and Compliance database—a subscription-based corporate intelligence program used by financial institutions—were also exposed.
Steve Severinghaus, the Director of Editorial Communications at Dow Jones, emphasized to International Business Time that no full credit card or login information “that could pose a significant risk for consumers or require notification” was included in the exposure. He also said information from the Risk and Compliance database did not contain any customer information.
Severinghaus, who described the situation as “data over-exposure, not a leak” said the content was exposed via Amazon cloud and “not the open internet.”
UpGuard reported the exposed data was found on an Amazon Web Services (AWS) repository that was configured to allow any “authenticated” AWS users to download the data from the URL where it was hosted. There are over one million authenticated AWS users and registration for an account is free.
While UpGuard did not disclose when it informed Dow Jones of the database issue, the company first discovered May 30 and accessed June 1. Nearly a month and a half later, the exposure was disclosed to customers.
UpGuard called Dow Jones’ response to the exposure “sluggish” and called the company’s response “of great concern,” noting how important it is for companies to inform customers so they can secure their information and mitigate the possibility of a malicious attacker targeting their accounts.
Severinghaus noted the exposure was the result of an internal error, not a hack or cyberattack, and was addressed quickly. “We immediately secured the data once we became aware of the problem,” Severinghaus said. “We take the security of Dow Jones information very seriously.”
The Dow Jones exposure is just the latest case of customer records potentially being exposed because of a misconfigured Amazon server. Earlier this month 14 million customer records from Verizon, including account PINs, were exposed by a third-party company. Personal information of more than three million WWE wrestling fans was also found exposed online in a server this month.
Earlier this year nearly 200 million voter registration files that could be used to identify American voters were discovered on an unsecured Amazon server owned by Republican data analytics firm Deep Root Analytics. The database contained voter names, dates of birth, home addresses, phone numbers and voter registration details including party affiliation. The data sets also listed voter ethnicity and religion.