A Cayman Islands-based investment fund has left the content of its server visible on the internet because it failed to properly configure a cloud back-up solution, according to technology news website The Register.
The cyber-security error meant that anyone with access to the website address of the fund’s Microsoft Azure Blob had access to years of client files. These included personal banking information, passport details and even online banking PIN numbers, The Register reported.
The news website received the information after a tip from a researcher but agreed not to name the firm in exchange for details about how the blunder occurred.
From the terminology used in the article, it is not clear whether the company in question is a fund, an investment firm or a bank, but the firm claims to manage $500 million in assets, according to The Register.
The exposed information, which has since been removed, covered several years of investor correspondence, share certificates, documents signed by directors, and scans of directors’ passports.
In the article, which featured anonymised scans of certain documents, a local staff member blamed the breach on an outside service provider in Hong Kong, who provided the solution.
He said the Azure blob was part of a disaster recovery set-up and not used in daily back-ups.
The Microsoft Azure Blob solution is similar to cloud back-up services like Amazon Web Services S3 storage bucket.
Storage leaks that Amazon service have been well-publicised in the past. Both solutions are publicly accessible platforms that provide access to anyone with the correct URL and permissions through the same HTTP requests that a web browser uses to access a website.
The solutions are typically secure as long as the security checks are enabled correctly.