Maruti Suzuki Investor Data ExposedResearcher Discovered Misconfigured Microsoft Azure Blog Cloud Server
A misconfigured Microsoft Azure Blob cloud storage server used by Maruti Suzuki, an automobile manufacturer in India, exposed investors' personal and financial data online, a security researcher says.
The misconfigured Azure server, discovered on Oct. 16, appears to have been accessible via the internet for over a year, says Sami Toivonen, an Australia-based security expert. A filename attached to the database shows it was first validated in March 2019, he says.
After finding the exposed database, Toivonen contacted Maruti Suzuki on Oct. 17.
"I contacted Maruti Suzuki via their contact email address, investor relations email address and Twitter account and sent the detailed report to their data protection officer and chief information security officer," Toivonen says. "On Oct. 26, I contacted Maruti Suzuki for the fourth time. The data was secured later in the day."
Azure Blob cloud storage servers are used for tiered data storage and long-term retention of data for use in high-performance computing and machine learning workloads, according to Microsoft.
The exposed Maruti Suzuki data included investors' full names, addresses, Permanent Account Numbers (PANs) used for taxation purposes, dates of birth and Aadhaar numbers - India's Unique Identification Number.
Toivonen says the exposed server contained over 1,500 files, including documents on investors' collateral, marketing materials, agreement templates, legal tender documents as well as 26 files containing personal details of Maruti Suzuki investors who hadn't claimed their dividends.
"One of the datasets contained the personal details of 20,534 investors," Toivonen says. "From privacy and data protection point of view, some of the investor documents included sensitive data and information that is meant to be shared only with shareholders. There were over 20 files with investor details, but only one of those files included the PAN numbers, dates of birth and Aadhaar numbers."
Maruti Suzuki, headquartered in New Delhi, is partially owned by Japan's Suzuki Motor Corp. The company controls over 50% of the Indian passenger car market, according to Statista.
A spokesperson for Maruti Suzuki could not be immediately reached for comment Thursday.
Public Cloud Security
Microsoft is responsible for securing the Azure infrastructure, but Maruti Suzuki is responsible for protecting the data the company uploaded to the Azure server and for ensuring that it used properly configured passwords, Toivonen says.
"We are often reading about publicly exposed data on an Amazon’s Simple Storage Service buckets, but very few remember or talk about the fact that all three major public cloud service providers - Amazon, Google and Microsoft - have the same kind of shared responsibility model,” the researcher says. “And the customer is always responsible for securing the data and users, but also applications and network in the majority of the cases. Also, a big part of cloud-based storages on all three are public by default.”
Whose Data Exposed?
Toivonen notes that while most of the exposed Maruti Suzuki investor data belonged to residents of India, the database also contained details about investors elsewhere, including the U.S., U.K., Australia, Canada, France, Germany, Ireland, Norway and Singapore.
Earlier this month, Toivonen reported on an unsecured Amazon Web Services database belonging to India's Dr. Lal Path Labs that potentially exposed 50 GB of patient data, including notes related to the results of COVID-19 tests (see: Unsecured AWS Database Left Patient Data Exposed).