Australian Broadcasting Corporation leaks passwords, video from AWS S3 bucket

'Advance video content' and years of backups dangled in the cloud

The Australian Broadcasting Corporation (ABC) has joined the long list of organisations to leak sensitive data from a poorly secured public-facing Amazon Web Services S3 bucket.

Security outfit Kromtech's chief communications officer Bob Diachenko on Thursday revealed today that the company “identified a trove of data that is connected with ABC Commercial” including “production services and stock files that should not have been publicly available online.”

ABC Commercial is the government-funded broadcaster's wing dedicated to licensing, selling merchandise related to its programs, events and content marketing. It's intended to be a money-maker for the ABC.

Kromtech said the trove included “1,800 daily MySQL database backups from 2015 to present”. Those backups and other data in the buckets included:

  • Several thousands emails, logins, hashed passwords for ABC Commercial users to access the ABC content (these include users who are well known members of the media)
  • Requests for licensed content as sent by TV and media producers from all over the world to use ABC’s content and pay royalties.
  • Secret access key and login details for another repository, with advance video content

Worse still, the un-secured buckets were detected in that state a week after AWS issued advice on how to secure S3 buckets.

Diachenko said Kromtech was able to reach ABC IT personnel and that the buckets were secured within minutes of notification about problems.

A person familiar with the ABC’s IT operations and politics told The Register this mess will likely be a boost to an old guard in its IT team that prefers on-premises infrastructure and defence-in-depth security strategies. That faction is likely to encounter resistance from management that is known to be keen on doing more in the cloud.

An ABC spokesperson told The Register the organisation "can confirm it is investigating a data breach but has no further comment to make at this stage." We've asked the organisation further questions about how and when it responded to the breach and will update this story if we learn more. ?

UPDATE: 12:15, Friday November 17th. The ABC " has confirmed that it was notified of a data exposure on 16 November. ABC technology teams moved to solve this issue as soon as they became aware."


Biting the hand that feeds IT ? 1998–2017