In my opinion organizations still don't rely enough on "defense in depth" techniques to protect sensitive data. Breaching the WAF and gaining access to S3 files shouldn't suffice to gain access to the raw data. Personal data that is not required for transactional use should be either encrypted, pseudonymized or anonymized. I couldn't find information about the exact use case of the data but as it was stored in S3 I would guess that it was "set aside" for future use in analytics or machine learning, maybe? If so there's really no reason to store the raw data.
Any single IT system is hackable and will eventually be hacked. The probability that an adversary will be able to hack multiple, independent systems is much lower though, and would in many cases prevent data breaches like this one.
I find that in large organizations, business only cares about business. Maybe because they can't be bothered with IT or security or any of the geeky disciplines. I'm pretty sure it's all about soft skills: they just can't handle dealing with folks that lack soft skills and those geeky, nerdy folks running the technology stack lack soft skills and only ever ask to spend money ...
If you, tech geek, learn enough to speak well to The Business, you have another challenge: the market is at a place where incentives matter. You can articulate, in the right language, the need for cleaning up the company security posture, but you can't articulate an incentive. User can't sue because the ToS says 'mediation;' There's no regulatory agency that will really threaten our profits - we can afford a $10MM fine when they get around to levying such after three years of investigation ... what's the incentive to spend half a million dollars this year on additional employees and licenses when that's money destined for high-level bonuses this year, and by the time that fine arrives, this executive team will have moved on?
>In my opinion organizations still don't rely enough on "defense in depth" techniques...
This flies in the face of 'easy money.' 'Easy' meaning we, The Business, comprehend the purpose of a particular budget line item. Spending money is bad. But spending money in some places is a necessary evil, and only acceptable when it is in a place that is directly reflected in the price to the customer. Acquiring, manufacturing, assembling parts in the final product? Fine. Marketing to acquire a customer? Sure. Attaining regulatory approvals? Bah, ok. After we've articulated the costs and padded an acceptable margin, the only thing left is the self-congratulatory bonuses for executives!
I've found that at large companies, employees touted as having great soft skills often lack the ones that I consider key for productivity: communication, integrity, responsibility, and work ethic.
Meanwhile, engineers possessing all of the above traits as well as hard skills are told to develop their other soft skills (i.e. positive attitude, courtesy, and professionalism) to make themselves more palatable to the inept.
In a vicious cycle, the feeling that everything is focused around appeasing those that contribute the least is enough to erode many engineers' soft skills.
> Personal data that is not required for transactional use should be either encrypted, pseudonymized or anonymized.
Sorry, just to nitpick, creating anonymized data isn't that easy, and I'm worried something like that would get miss-used like some password breaches (the passwords were encrypted with md5, they're still secure). I can store all this customer data without consideration, because a company thinks they've anonymized something that isn't actually anonymized.
Any single IT system is hackable and will eventually be hacked. The probability that an adversary will be able to hack multiple, independent systems is much lower though, and would in many cases prevent data breaches like this one.