One of my insurance companies informs me that Bonobos, a clothing subsidiary of WalMart, had a database breached on January 22nd. Around 7 million customers were affected and are being urged to change their passwords. Such items were exposed as:
email addresses
credit card information
phone numbers
details of orders
encrypted passwords
And here's the interesting aspect. Apparently the front line processing wasn't the target. Attackers downloaded a cloud backup of the company's database, not going for the "live" one.
You can flip through my previous posts to see how many times I've warned against this sort of thing. Why not go after backups? If the administrator of record even has the time to deal with security it'll regard the main processes and units, not ancillary matters like warm sites, cold sites, updates, secondary provider access, backups... Backups. Just a treasure chest sitting there and possibly not being well guarded.
There's the cloud location to be scrutinized as well; I used to talk to lots of customers at the old ISP that thought security was the responsibility of the cloud provider. They discovered otherwise. On top of needing to deal with such security details as would normally come up anywhere, cloud computing (to repeat myself) adds three more security issues to the mix:
Web Interface Integrity - is that form, code, etc. properly tested for buffer issues, syntax, version...?
Hypervisor Integrity - I saw at least one zero-day crack at this point
Provider Employee Exposure - can you trust the ISP staff you didn't hire?
But to simply go for a backup wherever it's located, online or otherwise, is an utterly fiendish strategy since it amounts to a flank attack, not approaching at a strong point. The backup may be stashed in some location on a primary node, a different node elsewhere, a cloud location, or even a tape (yes, that's still commonly in use). An attacker could either go for the live (online) location, the live local location, try to intercept the telemetry of the backup from point to point... or even risk physical theft of a tape cartridge. Any of these strategies could be profitable.
