Men's clothing store Bonobos has suffered a massive data breach exposing millions of customers' personal information.
Walmart bought Bonobos in 2017 for $300 million to offer its clothing on Jet.com. BleepingComputer reported the breach occurred after a cloud backup of their database was downloaded by a threat actor.
In January, a threat actor known as ShinyHunters, who is notorious for hacking online services and selling stolen databases, posted the full Bonobos database to a free hacker forum, the report said. The amount of records varies depending on the category of the data, but the leaked database is a 70 GB SQL file containing various internal tables used by the Bonobos website. The database includes customers' addresses, phone numbers, partial credit card numbers, order information, and password histories.
BleepingComputer said Bonobos told them the threat actors did not gain access to internal systems but rather to a backup file hosted in an external cloud environment.
"What we have discovered is an unauthorized third party was able to view a backup file hosted in an external cloud environment,” Bonobos told BleepingComputer. “We contacted the host provider to resolve this issue as soon as we became aware of it. Also, we have taken additional precautionary steps, including turning off access points, invalidating account passwords and requiring password resets, to further secure customer accounts. We're emailing customers to notify them that their contact information and encrypted passwords may have been viewed by an unauthorized third party. Payment information was not affected by this issue.”
“The unfortunate reality is these sort of events are now a regular occurrence, as organizations move quickly and overlook details of the shared responsibility model of cloud infrastructure, creating vulnerabilities when undertaking things such as provisioning systems in a cloud environment,” Drew Daniels, CIO & CISO, Druva, tells RIS.
Gartner predicts that by 2022 at least 95% of cloud security failures will be the customer’s fault, as in a failure to properly observe the shared responsibility model, he notes.
“What many organizations don’t realize is that while IaaS platforms such as Azure and AWS are responsible for maintaining and securing the compute, network and storage, they aren’t responsible for properly configuring the infrastructure and protecting the data stored within it,” says Daniels. “Customers are responsible for securing their own data, operating systems, applications, and providing or restricting all access management to its users. This incident only further emphasizes the importance of data protection and governance.
“The key to minimizing attacks like this is to ensure data files are managed and protected by a backup service that focuses on these essentials and provides some measure of additional, layered security such as encryption end-to-end and continuously monitoring to catch any risks early. When the proper tools are in place, organizations can be notified when any public cloud storage is misconfigured and rectify the situation before it becomes an issue. In addition, this can help avoid potential penalties associated with CCPA, the GDPR, or the plethora of other regulations that are just around the corner. Taken together, this brings organizations proactive compliance monitoring and data security measures that are always available and in place.”