Security News > 2020 > December > Cayman Islands investment fund left entire filestore viewable by world+dog in unsecured Azure blob

A Cayman Islands-based investment fund has exposed its entire backups to the internet after failing to properly configure a secure Microsoft Azure blob.

Details of the fund's register of members and correspondence with its investors could be freely read by anyone with the URL to its Azure blob, the Microsoft equivalent of an Amazon Web Services S3 storage bucket.

As well as publicly exposing who its shareholders are, how many shares they hold, and the value of those holdings, the fund - which The Register is not naming after it agreed to talk in depth about its incident response process - had also saved a scanned copy of its online banking PIN to the blob.

Documents seen by The Register in the unsecured blob stretch back years and include: scans of directors' passports; letters to and from investors including commented files sent during commercial negotiations; term sheets; share certificates; documents signed by its directors and more.

Last year an Automated Number Plate Recognition operator in the UK left millions of CCTV images accessible online from an unsecured Azure blob that, like this fund's setup, had no login or authentication controls applied to it.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/12/01/auster_capital_data_breach/