Thomson Reuters: Trust the Firm with Data Security?
November 16, 2022
Thomson Reuters tosses around the word “trust.” Should one trust the firm with data security? (Keep in mind that Thomson Reuters compiles and licenses data to law enforcement and intelligence entities in the US and elsewhere, please.)
As most people know, everyone makes mistakes, but Thomson Reuters made one heck of a doozy when the company left three terabytes of sensitive information open to the Internet. Hackers and their nefarious bots purloined the three terabytes. Cyber News discusses the fallout in: “Thomson Reuters Collected And Leaked At Least 3TB Of Sensitive Data.” The three databases are public-facing and are housed in ElasticSearch software.
Thomson Reuters fixed the problem when they found it, then they notified their customers. Thomson Reuters specializes in business-to-business media tools, such as Checkpoint, ONESOURCE, Westlaw, and Reuters Connect. The exposed databases rely on open-source software ElasticSearch because it was designed for companies handling large amounts of constantly updated data. The leaked three terabytes are worth millions of dollars in the criminal world.
Two databases were public-facing, meaning they were meant to be accessible to the public, while the third was a non-production server related to the product ONESOURCE. The leaked data could cause a lot of mayhem:
“Researchers believe that any loss of information on the dataset could not only harm Thomson Reuters and its clients but also be detrimental to the public interest.
For example, the open database was leaking some individuals’ and organizations’ sensitive screening and compliance data. Accessible data from the public-facing Thomson Reuters database could have tipped off entities that would like their wrongdoing kept in the dark.
According to Martynas Vareikis, Information Security Researcher at Cybernews, threat actors could use the email addresses exposed in the dataset to carry out phishing attacks. Attackers could impersonate Thomson Reuters and send the company’s customers fake invoices.”
While Thomson Reuters attributes the error as a system glitch, leaving the passwords in plaintext format was a rookie mistake. No matter how strong the passwords are, they are worthless once exposed.
Trust? Maybe it is a marketing play?
Whitney Grace, November 16, 2022