Cloud data storage has taken off in popularity across industriesincluding financial services and with credit unions. However,security researchers are warning organizations their privatecontent may be available publicly.

Making sensitive data available to unauthorized users onAmazon's cloud-based Amazon Web Services storage servers (known asbuckets) is not new. Over the last year-and-half or so, FedEx, Verizon, the Pentagon, Uber, Verizon,Alteryx, the WWE, the NSA, Dow Jones and some data mining companieshave exposed data via misconfigured storage buckets resulted frominformation exposed on unprotected AWS data repositories.

“All indications suggest that those reports are just the tip ofthe iceberg, and many more firms are putting themselves, theirpartners, and innocent members of the public at risk throughcareless data security,” a BBC report wrote.

The main target according to security experts are serverssupporting Amazon's Simple Storage Service storage buckets. Abucket is a unit of storage in AWS object storage service; S3buckets store objects, consisting of data and metadata. An S3patron must generate a bucket before stockpiling data in Amazon'spublic cloud and specify access privileges by means of the AWSPolicy Generator. SimilarTech claimed almost 400,000 websitescurrently use S3 buckets.

A new study from European-based HTTPCS found out of 100,000buckets surveyed 10 percent were public in that they allowed anyworldwide user some form of access; 58 percent of the publicbuckets contained readable publicly accessible, many withlegitimate reasons; and 20 percent of publicly accessible bucketsare writable, which could allow hackers to use the public bucketsfor more attacks, serving or controlling malware at the bucketowner's expense.

Attackers can also encrypt breached data found in the buckets and attemptto hold it for ransom.

How this relates to the credit union industry stems from themstarting to leverage cloud technologies particularly when utilizingfintechs. Xerex Bueno, CTO for Layton, Utah-based CUSO CUProdigy,pointed out these last rounds of published breaches resulted fromimproperly configured cloud environments. “Misconfiguration is thenumber one reason why there've been so many issues aroundbreaches,” Bueno said. “a lot of it has to do with people adoptingcloud technologies, who are unfortunately not the masters in thatdomain and making non-malicious configuration mistakes that areactually exposing themselves to the world.”

Bueno explained individuals or companies inadvertently make S3storage buckets viewable and readable publicly. “That means anybodywho figures out the S3 storage bucket URL has basically full rightsto take all the information that's in that bucket and copy itout.”

So, credit unions need to understand these security risks ofcloud storage. “If they're not a hundred percent familiar with thespace or know what's going on with it, they should really find apartner with a company that has a lot of cloud experience.”

Bueno explained CUProdigy offers protection by being a trustedtechnology partner. “We take a very consultative approach toworking with credit unions who want to leverage cloud technologiesto ensure that they don't end up in the news for the wrongreasons.”

Bueno suggested a credit union's journey to the cloud is just aneventual reality because of the economies of scale, performance,reliability, security, and disaster recovery. All those arechallenges for a lot of credit unions that the cloud can solve,Bueno maintained. “I would urge credit unions that as they startthis journey, they really find an organization that understand whatit means to be a credit union and what that member data actuallymeans at the end of the day. “