After security researcher Chris Vickery discovered millions of records from Facebook users sitting unsecured on a public database, he tried for weeks to get Amazon.com, owner of the servers where the data were stored, to take it down.
“We’re looking into the situation and assessing any extra steps we can take,” came the response from Amazon security staff on Feb. 21 — three weeks after Vickery initially brought the data exposure to Amazon’s attention.
The trove in question included 540 million pieces of information, such as identification numbers, comments, reactions and account names, that had been culled from Facebook pages and stored on Amazon servers by Mexico City-based digital platform Cultura Colectiva.
The records were accessible and downloadable for anyone who could find them online, and they didn’t get taken down until April 3, after Facebook — alerted by Bloomberg News — contacted Amazon.
The slow-footed response underscores a dilemma faced by businesses like Amazon Web Services, which along with cloud computing behemoths Microsoft and Alphabet’s Google, generate billions of dollars in revenue by providing storage and other computing services via remote data centers. Were Amazon to shut down a customer’s services, it could open itself to lawsuits and risk broken trust with clients, said Sean Curran, who advises companies on security issues for consulting firm West Monroe Partners. “It really is a gray area between (Amazon’s) responsibility and the customer’s,” he said.
Amazon views itself as responsible for the servers that populate data centers, and its customers should be in charge of the information that gets stored there, Vickery said.
“Companies like Amazon Web Services push a narrative of a shared responsibility model, where they’re responsible for the hardware,” he said in an interview with Bloomberg TV. “And then it’s up to the ones who are paying to store the data to correctly configure their storage instances to make sure anyone on the internet can’t access it.”
Vickery said he also reached out to Cultura Colectiva to take down the data, but didn’t receive a reply.
Whatever role Amazon should play, the episode is only the latest embarrassment for Facebook, still smarting from revelations last year that the company lost track of data that it shared with third parties. Facebook for years allowed anyone making an app on its site to obtain information on the people using the app, and those users’ friends. Once the data left Facebook’s hands, the developers were able to do whatever they wanted with it.
Facebook, in a statement, said it worked with Amazon to take down the database. It’s unclear whether Amazon pulled the plug itself, or persuaded Cultura Colectiva to take the files offline.
AWS customers “own and fully control their data,” Amazon said in a statement. “When we receive an abuse report concerning content that is not clearly illegal or otherwise prohibited, we notify the customer in question and ask that they take appropriate action, which is what happened here.”
Amazon has grown into the world’s biggest provider of on-demand data storage and computing power in part by pledging to big companies that their data will be as private in the cloud as it was sitting in a backroom server.
“They just don’t want to start a precedent of them meddling with the data,” Vickery said, back when he was having trouble getting Amazon to take it down. “If they start shutting down access to data breaches, they start getting into liability a bit more. They’re in a sticky situation.”
On its website, AWS says customers maintain ownership of the data they upload to the service. “We do not access or use your content for any purpose without your consent,” the company said. Microsoft and Google make similar guarantees about their cloud businesses.
Even so, once Amazon becomes aware of information that shouldn’t be publicly available, it should quickly take steps to make the data private, said Ashkan Soltani, a privacy researcher and former chief technology officer at the Federal Trade Commission.
Vickery concurs. “I would hope that when they were notified they would have taken more steps to close it off,” he said.
Amazon’s terms of service give the company wide latitude to remove content it deems illegal. In cases where content infringes on the rights of a third party, Amazon can disable a service with two days notice.
After a series of inadvertent exposures of information stored on AWS’s Simple Storage Service in recent years, the company made it more difficult for its customers to make data public facing in the first place, peppering the service with warning notices when something is exposed, and giving administrators easier options to shut down open databases.
–With assistance from Gerrit De Vynck.