CMS Platform Leak
Another warning for properly storing files in the cloud appeared this week when Kromtech Security Researchers have discovered a trove of confidential data connected to the rights management platform called Rightsline. The data appears to be a PC backup apparently belonging to one of the companys VPs and stored on an unprotected Amazon bucket dating from 2004-2008 and with clients such as EMI, Sony Pictures, Comcast, NBC Universal, and other top names it is clear to see just how sensitive this data could be.
Amazon Simple Storage Service (Amazon S3) is object storage designed to store and access any type of data over the Internet and in general It is very secure. S3 is used for backup and recovery, tiered archive, photos, videos, music and files, “Big Data” analytics, data warehouse platforms, and just about anything else you can imagine. Unsecured Amazon s3 buckets are not something that is improperly configured by Amazon. No, by default all the content and files within a bucket are not accessible from the external environment. However, as far as our security audits show, there are way too many companies, individuals, organizations, and governmental agencies for some unknown reason purposely disable the security preferences on their cloud services. Once Amazons default security is disabled the data then becomes available for public access.
Rightsline is marketed as an advanced content management system (CMS) that helps intellectual property owners manage their contacts, projects, catalogs, deals, inventory, and accounting. It is sold as a software and a service for rights and contract management. The concept of the platform is to make more money by using technology to streamline the complex part of the entertainment industry. In short the platform helps intellectual property owners manage things like contracts and licensing of shows, seasons, films, albums, songs, and content distribution.
“Rightsline leverages the most secure data protection mechanisms available in the market to ensure that your data always remains your data.” - from the Rightsline website
The danger of any data breach or leak is often the human factor. In this case a company does everything right and takes the necessary precautions only to have a senior executive leave a backup drive exposed. The backup contained a massive amount of information on clients, payments, and included 2GB of backed up email correspondence. Many of the files say “Privileged and Confidential” and it is a unique look into the world of the music and entertainment business.
The list contains some of the biggest names in music and some of the most beloved songs ever written. What is most interesting is to see the cost of including music in TV, films, and commercials. It is jaw dropping to see some of the totals on these spread sheets. This information is usually kept private for a number of reasons, but seeing the breakdown helps you understand the massive amount of money, who it is going to, and where the music will be used, etc.
In June 2014 Critical Mass Studios Inc acquired RightsLine Software. At the time RightsLine was already being used to track more than 65,000 contracts across the entertainment industry by studios and major publishers such as NBCUniversal, Snagfilms, MGM and Samuel French. Although this data goes back to before Critical Mass Studios Inc purchased Rightsline they were already established and working with some big brands and all of that information was publically available online.
The data even contained screenshots of royalty tracking and accounting info for Toy Giant Mattels Barbie accessories orders in WalMart and totaled in the millions of dollars.
Kromtech Security Researchers also discovered an unencrypted spreadsheet of remote access logins for their server, production database and more than enough credentials for anyone to access their system. It is unclear if any of the admin credentials are still valid or if anyone other than security researchers gained access to the data. One of the biggest discoveries in the repository is the massive email backup containing over 2GB of confidential correspondence.
Exposed bucket was quickly secured after notifying the company on June 12, however, no feedback was ever received. It is also unknown for how long it was open for public access and who else might have downloaded the data.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org