A misconfigured Amazon S3 bucket of London Business School has led to the exposure of sensitive data belonging to its students. Details leaked include their names, emails, DoB, locations, etc.
London Business School has quickly responded to this leak by securing the S3 bucket, and said the risk that occurred due to the incident is minimal! This was spotted and informed to LSB by Bob Diachenko, a security researcher.
London Business School Data Leak
A constituent of the Federal University of London, the London Business School has been constantly ranked as the top 5 Business Schools in the world for so many years. With state-of-the-art campuses in London and Dubai, the college has over 2000 students from several countries.
Though being one of the greatest MBA schools today, LBS still fails to properly secure its cloud instances that store sensitive data belonging to its students. Bob Diachenko, a security researcher who earlier uncovered data leaks of RedLine, SonarQube, Razer, etc, noted a misconfigured Amazon S3 bucket belonging to LBS.
London Business School [@LBS] exposed data of its students: names, emails, userIDs, DOB, interests, locations etc. via misconfigured s3 bucket. The following statement was provided to me after responsible disclosure took place: pic.twitter.com/U9xQTbejJO
— Bob Diachenko (@MayhemDayOne) March 28, 2022
He said the exposed cloud instance is leaking the student data, which includes their names, emails, user IDs, DOB, interests, locations, etc. And after responsibly disclosing it to the London Business School, the school replied;
“We identified the system concerned and took swift action to remedy the misconfiguration. The root cause of this has been identified as the erroneous use for data and report transfers of a storage bucket intended for public files.”
Reporting the incident to ICO, the school surprisingly considers the risk posed by this exposed data is “minimal“. Data leaks arising out of misconfigured cloud instances, especially the Amazon S3 buckets aren’t uncommon.
Amazon has laid out a clear guide on how to properly secure their S3 buckets, and be attentive to any leaks or cyberattacks targeted at them. Thus, it’s the responsibility of the end enterprise clients to be informed and act accordingly.