Technology

French marketing firm publicly exposes sensitive data of over 12,000 clients

The latest big AWS S3 exposure comes close in the shadow of GDPR, the European Union's new privacy protection legislation.

By Patrick Howell O'Neill

February 5, 2018

(Octoly)

Prominent French marketing firm Octoly accidentally publicly exposed an Amazon Web Services S3 cloud storage bucket containing sensitive information about the company’s IT operations as well as the firm’s thousands of clients, according to a report from the cybersecurity firm UpGuard.

Octoly, which just got a $10 million investment round, is a marketing firm that connects companies and influencers for native advertising opportunities in the popular and lucrative worlds of beauty and video game blogging. The firm works with Sephora, Dior, Yves Saint Laurent and Blizzard Entertainment as well as popular “influencers” on social media — i.e. people with a large following.

Over 12,000 Octoly clients had sensitive data exposed as a result of a misconfigured AWS account including real names, addresses, phone numbers, email addresses, birth dates and hashed user passwords for the individual influencers. On the brand side, Octoly’s analytics for each specific brand were publicly exposed as well.

“Octoly’s potential business damages as a result of this breach are also noteworthy,” UpGuard’s Dan O’Sullivan explained. “It is the presence of personally identifiable information for individuals across Europe – from Octoly’s home country of France, ranging beyond to Germany, Spain, and the UK – that calls to mind the European Union’s General Data Protection Regulation (GDPR), a strict set of requirements for security and privacy that will come into effect in May 2018.”

GDPR is new data protection legislation in the European Union that can levy fines of up to €20 million or 4 percent of global annual revenue for companies that fail to comply.

Most of the victims of this incident are women, according to UpGuard. Given the sensitive nature of the exposed data, UpGuard researchers raised the specter of harassment and “swatting” attacks against any of the over 12,000 victims.

The S3 cloud storage bucket exposure was discovered Jan. 4 and secured on Feb. 1.

“An internal restructuring unfortunately exposed us to a data security issue,” Annie Nguyen, Octoly’s Head of Corporate Communications said. “We want to assure our community that the necessary steps were taken to resolve it. We truly value our members and their security is important to us.”

Update: Added Octoly’s comment.

French marketing firm publicly exposes sensitive data of over 12,000 clients

More Like This

Democratic operative behind Biden AI robocall says lawsuit won’t ‘get anywhere’

House hurtles toward showdown over expiring surveillance tools

FBI seeks to balance risks, rewards of artificial intelligence

Top Stories

Iranian nationals charged with hacking U.S. companies, Treasury and State departments

CISA ransomware warning program set to fully launch by end of 2024

FCC wants rules for ‘most important part of the internet you’ve probably never heard of’

More Scoops

Exclusive: PR software firm exposes data on nearly 500k contacts

Third-party Facebook apps left people’s data publicly exposed, researchers say

48 million profiles left exposed by data scraping firm, report says

Another cloud leak shows AWS can only do so much to protect data

Florida-based credit firm left 111GB of sensitive customer data exposed on AWS server

Top secret Army, NSA data found on public internet due to misconfigured AWS server

Pentagon left AWS databases publicly exposed

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics