Thomson Reuters acknowledged a database leak that exposed at least 3TB of customer data, although the multinational media conglomerate attempted to downplay the gravity of the issue.
According to the Cybernews research team, Thomson Reuters left three databases unsecured for anybody to access without authentication. The information news website reported that one of the databases contained “sensitive, up-to-date information from across the company’s platforms.”
Security experts warned that threat actors exploit the data to execute attacks ranging from social engineering to ransomware.
Thomson Reuters database leak exposed sensitive platform and customer data
According to Cybernews, one leaked database contained “sensitive customer and corporate data, including third-party server passwords in plaintext format.”
The ElasticSearch database contained 6.9 million unique logs collected from client interactions, including login and password reset logs. Although they did not expose the users’ passwords, the logs show the account holder’s email address and when they initiated the password change request.
Additionally, the logs displayed the SQL (structured query language) query of what Thomson Reuters’ clients were searching for and the result they received, including corporate and legal information.
The leak also exposed corporate and legal information for businesses and individuals. For example, the company’s ONESOURCE Global Trade Product allows clients to search for information on export/import controls, restrictions, and sanctions. According to the researchers, an employee of a U.S. company had searched a Russian company using the Thomson Reuters tool and found that the board members were under U.S. sanctions.
According to Cybernews, the open instance was indexed by popular IoT search engines, thus expanding the attack surface. Cybernews could not determine or did not disclose if any threat actor had accessed the exposed customer data. However, cybercriminals typically detect open cloud databases within minutes.
Thomson Reuters downplays database leak
Thomson Reuters explained that an “isolated error in the product environment resulted in the inadvertent misconfiguration of the non-production environment.”
The media giant explained that two exposed databases were supposed to be publicly accessible. The company claimed that the third database was a “non-production server” containing application logs from the pre-production environment and was only accessible to a “small subset of Thomson Reuters Global Trade customers.”
The media giant justified the logging mechanism by claiming that “the server contains the information needed to operationally support the platform.”
Cybernews explained that although a non-production server might not hold application data, such information is no less sensitive.
Nevertheless, the media company secured the database, launched an investigation, and began notifying customers.
Cybernews suggested that the database leak resulted from a “misconfiguration on the AWS Elastic Load Balancing service” with different rules that did not fully cover access controls.
“No matter how big or trusted a company is, they are one misconfiguration from a breach,” said David Maynor, Senior Director of Threat Intelligence at Cybrary. “Problems like this is why you need to invest in more than just tools. Investment in scaling your staff is more important than ever.”
Thomson Reuters database leak posed a significant security risk
Cybernews suggested that exposing sensitive data such as individuals’ or organizations’ screening information could tip off entities with secret shady dealings.
Additionally, the misconfiguration of Thomson Reuters’ global trade customers’ database could trigger a supply-chain attack by exposing critical system information.
“The exposure of connection strings is particularly dangerous because the company’s internal network elements are exposed, enabling threat actors’ lateral movement and pivoting through Reuter Thomson’s internal systems,” the researchers wrote.
Mantas Sasnauskas, the Head of Security Research at Cybernews, warned that the database leak could also allow threat actors to gain an initial foothold in the systems used by Thomson Reuters’ partners.
Threat actors could also sell the login credentials, such as server passwords, to initial access brokers or ransomware groups to execute sophisticated attacks. The leaked customer data exposed them to social engineering attacks such as fake and malware-laced invoices from attackers impersonating Thomson Reuters.
“Today’s Thomson Reuters breach sounds like an egregious lapse and is likely to have significant cascade ramifications with corporate governance, process, and oversight,” said Rajiv Pimplaskar, CEO of Dispersive Holdings. “As Thomson Reuters is a significant provider to many Fortune 500 companies, this incident could also have 3rd party risk and supply chain implications with their customers and business partners.”
Thomson Reuters database leak potentially exposed more customer data than anticipated
The researchers predicted that the open database contained more sensitive customer data they could not discover without crossing legal boundaries.
Nevertheless, the researchers pointed out that the database was left open for less than a week.
A limited analysis of the database leak shows that part of the customer data was leaked as recently as October 26, while the database was left open since October 21.
The researchers explained that search engines did not return any leaked data outside this window, suggesting that the database was not publicly accessible before.Thomson Reuters #dataleak exposed 3TB of platform information and customer data after the media company left three databases unsecured and publicly accessible for days. #cybersecurity #respectdataClick to Tweet
Thomson Reuters claims that its configuration policy follows security best practices. Additionally, the media conglomerate claimed that it performs automated and centralized logging to provide real-time alerts.
“Meanwhile, the data shows that the instance was open for more than three straight days. It begs the question of whether real-time alerting is necessary if there is no one to review the alerts,” said Martynas Vareikis, Information Security Researcher at Cybernews.