Real estate industry provider exposes data

Note: An earlier version of this story reported that it was the First National Real Estate group’s systems that were breached. This is incorrect — it was a system under the control of a third-party provider, Sales Inventory Profile, which was exposed.

A poorly configured Amazon S3 bucket has exposed the details of potentially thousands of Australian job applicants.

The breach was first made public last week by UK-based privacy expert and activist Gareth Llewellyn, via a Twitter post.

Australia’s First National Real Estate group, which has hundreds of offices located across Australia, was one those potentially affected.

First National said that as soon as it became aware of the problem, it contacted the Office of the Australian Information Commissioner (OAIC).

In a statement, First National said that “following notification earlier this week that files belonging to Sydney based recruitment agency, Sales Inventory Profile, concerning positions within the real estate industry had been incorrectly secured, First National immediately responded through every appropriate channel to ensure that its network had not breached or participated in any notifiable data breach”.

The company added that its network has completed every action necessary, from its perspective, including contacting the OAIC.

“As this breach is not within First National’s responsibility, we, like all networks within the real estate industry, are dependent upon the Sales Inventory Profile organisation complying with the necessary security arrangements,” said Network Chief Executive Ray Ellis.

“We are working with our affected offices, and more importantly, any applicants that have been affected.”

According to Joel Camissar, Director of Managed Services for McAfee, research indicates that enterprise organisations have an average of 14 misconfigured IaaS instances running at any one time, resulting in over 2200 individual misconfiguration incidents per month.

“The recent … data leak caused by poorly configured S3 buckets is unfortunately still a common occurrence for many organisations using cloud, yet it is a security issue that can be easily avoided,” Camissar said.

“Meanwhile, 5.5% of AWS S3 buckets have world read permissions, making them open to the public,” he said.

Camissar said that to avoid misconfiguration issues, organisations continuously monitor their AWS, Azure, Google Cloud Platform or other IaaS configurations as a standard security practice.

“IaaS use is growing rapidly as an alternative to on-premises data centres, and it is critical that organisations get ahead of misconfiguration before it opens a major hole in the integrity of their security posture.”

Image credit: ©James Thew/Dollar Photo Club

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.