Reuters is seen as one of the most respectable news agencies in the world, even among fellow journalists. The publication regularly writes about the latest data leaks and cyber breaches that impact conglomerates and their clients, but, this time around, it’s landed in the hot water itself as parent company Thomson Reuters leaked terabytes of sensitive information.
The media company left databases with sensitive customer and corporate data, including third-party server passwords, open for anyone to discover. To make matters worse, the data was in plain-text format. That means cybercriminals who accessed the database were instantly able to read all the sensitive information and use it.
Thomson Reuters didn’t apply even basic security measures and now at least 3 TB of sensitive data is in the hands of criminals. Cybercrooks can use this information in a variety of attacks, including supply-chain attacks on Thomson Reuters customers and vendors.
A Costly Mistake
A team of researchers discovered Thomson Reuters had left at least three of its databases accessible for any outsiders for three days. One of these open databases contains 3TB of ElasticSearch data, which includes sensitive information from across the company’s different subsidiaries.
Leaked info includes materials on the legal research service Westlaw, tax automation system ONESOURCE, business-to-business media tool Reuters Connect, and editorial and source data on the Checkpoint research suite. Among these various services, Thomson Reuters collected terabytes of data from its partners and customers. Researchers believe this data would be worth millions of dollars among cybercriminal forums as it contains sensitive information and potentially grants access to the company’s internal systems.
This type of information would allow threat actors to gain an initial foothold in the systems used by companies working with Thomson Reuters.
Mantas Sasnauskas, Head of Security Research at Cybernews
Sasnauskas also went on to say the misconfigured server was already indexed via popular IoT search engines, which provides a large attack surface for threat actors. These criminals will be able to exploit internal systems but also carry out supply chain attacks. According to Sasnaukas, even a small human error on the part of employees can lead to devastating consequences in these types of chain attacks.
Some of the sensitive data exposed by the open databases includes login and password reset logs which doesn’t expose passwords but does expose the account holders’ email addresses. It also exposed SQL (structured query language) logs that show what information Thomson Reuters clients were looking for and the results they got for their queries, which includes specific corporate and legal documents with sensitive information about businesses and individuals.
One of the open databases also included an internal screening of clients’ access logs of other platforms and connection strings to other databases. According to the researchers, this is especially dangerous because it lets cybercriminals move laterally through Thomson Reuters’s internal systems.
Looming Disaster Possibly on the Cards
It’s possible much more sensitive data was exposed in the leak, but researchers haven’t been able to determine the full extent of the breach without crossing ethical boundaries. Yet, they were clear on one thing: it’s a ticking time bomb.
For example, the media company leaked sensitive screening and compliance data which can tip off malicious entities who would prefer their activity stays in the dark about what to look out for. Researchers said cybercriminals can also easily use the data and email addresses exposed in the dataset to carry out targeted phishing and other social engineering attacks.
Targeted campaigns can wreak a lot of damage because they rely on one of the weakest security points in any company – people. Having access to more information, and especially, sensitive information gives them an incredible advantage. One of the biggest concerns is that attackers can pose as Thomson Reuters and send its customers fake, malware-laden invoices or files, which could be devastating to businesses. Sasnaukas explains:
Information stored on the server is extremely sensitive. Cases like these raise questions about corporate data collection practices. The ramifications of a data leak of such scale are worrying to say the least.
Sasnauskas says attackers could use the information in various ways to harm Thomson Reuters as well. This includes extorting the conglomerate and gaining further knowledge about its internal systems, networks, and services. This would further enable them to launch sophisticated attacks.
Thomson Reuters Lacked Adequate Security Practices
After the researchers informed Thomson Reuters of its exposed systems, it quickly fixed the issue but that doesn’t mean the damage isn’t already done. The web is filled with bots that constantly scrape connected servers to find open databases, so the data contained here has very likely been stolen by threat actors.
The same researchers discovered that Thomson Reuters’ configuration and system environment files were also exposed last year. Apparently some of these files still appear on IoT search engines today, which means they can be stolen. The conglomerate, meanwhile, maintains its systems are configured using best security practices.
According to Thomson Reuters, its security includes automated and centralized logging to provide real-time alerting. In theory, real-time alerts should have given the company instant knowledge of the exposed data, giving it enough time to close the leak before crawler bots moved in.
Timestamps on IoT search engine results show the Thomson Reuters databases had been exposed since October 21, 2022, leaving the information up for grabs for days.That means either the alert system is faulty or security employees ignored these alerts.
The company said it has started notifying affected customers, and it’s imperative that anyone who has used any of Thomson Reuters’s tools immediately change their passwords. Even the most secure passwords are useless if they were leaked in plain text.
Unfortunately, this is a reminder for security teams that they need to be more vigilant about where and how their information is stored, as well as about what’s shared, even with partner companies and vendors. Thomson Reuters has downplayed the incident, saying it only affected a “small subset of Thomson Reuters Global Trade customers” yet it’s concerning something on this scale could have happened at all.
Leave a comment