Computer and information technology security issues can be quite opaque and difficult to understand, but here's a simple problem that continues to rear its ugly (and dangerous) head that goes something like this:

Take your organisation's really important data, absolutely heaps of it, and put it in internet-connected storage in the cloud.

Then just leave it there, without any access controls or a way to see if someone else has looked at the data, or even downloaded it.

We're talking about corporate secrets and plans, emails, login credentials, employee details and lots of other really juicy things.


It was all there in Amazon Web Services Simple Storage Service (S3) repositories, open for anyone to take a gander at.

Obviously, this is a double head-desk fail, that absolutely nobody should ever do. You'd think the first thing any organisation that moved its sensitive data off in-house IT systems to the cloud would check is if it's secure there, but that didn't happen even after some well-published information leaks.

The list of companies that should know better than to not secure their sensitive data is long.

Management consultants Accenture is one name, along with media giant Viacom, United States telco Verizon, and financial news company Dow Jones.

Across the Tasman, the Australian Broadcasting Corporation dumped data for its commercial division - that sells, buys and licenses programmes and more - on the AWS S3 cloud, and left it wide open for anyone to access.

Pentagon's Central and Pacific military commands did the same recently, leading to speculation if the 1.8 billion Facebook and other social media posts, and comments on news sites stored on S3 were part of US internet surveillance.

AWS has tried to educate its customers that leaving data exposed to the internet without access controls is bad, first in July and then recently, when the cloud provider added further security features to make sure admins really notice when their info is at risk.

That AWS had to do so after the unthinkable happened does make you wonder how well its customers understand the whole cloud computing concept not to mention basic the tenets of IT security.


There's also the question if organisations know what they're storing on their systems, the data that is then stuffed into the cloud. Cloud storage is cheap, convenient and infinitely scalable, but does everything have to go there, especially sensitive things and forgotten data that's probably best deleted?

If your organisation uses the cloud, check this is done properly and securely - if not, you could make the news as the next big information leaker, or have the data traded and abused by criminals.