A high-profile telecommunications firm accidentally leaked 900,000 data records via an Amazon Web Services database. The data, which had been owned by the in-house marketing function, had been left visible to anyone on the Internet. No authentication was required. After an unsatisfactory investigation by the original incident response firm, we were retained by counsel to provide a fresh technical investigation and report.
Our experts identified the cause of the original vulnerability, quickly confirming that a third party data provider employed by the client was responsible for the environment when the breach occurred. This brought into question whether the third party was liable, and if the client had the option of recouping some costs.
Our findings demonstrated a technical failing of the third party data provider, which was used in litigation to defend our client. We also provided third party management and governance advice to the client to remediate the breach situation.