3.6 Case Study on Cloud Security.

Real-Life Example: Facebook (Meta) Cloud Data Leak (2019)

1. Introduction

In April 2019, Facebook (now Meta) faced a massive data leak when over 540 million user
records were found publicly accessible on Amazon’s AWS cloud storage. This happened because
third-party developers misconfigured their cloud databases, making them visible to anyone on
the internet.

2. How the Breach Happened

● Facebook allows third-party apps to access user data through its platform.

● Some of these app developers stored Facebook user data on Amazon AWS cloud servers.

● However, they forgot to set proper security settings, leaving the data publicly accessible
to anyone with the link.

● This meant names, account IDs, comments, and other details were exposed to hackers,
researchers, and cybercriminals.

3. Impact of the Breach

● 540 million user records were leaked online.

● No passwords were stolen, but personal information could be misused for phishing scams.

● Facebook faced regulatory investigations and had to take action to secure user data.

4. Security Mistakes
Cloud storage was misconfigured, making it publicly accessible.
No encryption was used for sensitive data.
No monitoring alerts to detect unauthorized access.

5. How Facebook Fixed the Issue

Worked with Amazon to secure the leaked data and remove public access.
Enforced stricter rules for third-party apps on how they store Facebook user data.
Implemented automatic security checks to prevent similar misconfigurations.

6. Lessons Learned

Always secure cloud storage by setting proper access controls.

Encrypt sensitive data to prevent misuse.
Regularly audit third-party apps to ensure they follow security guidelines.
Use cloud monitoring tools to detect misconfigurations early.

7. Conclusion

Facebook’s 2019 cloud data leak shows how simple misconfigurations can lead to massive data
exposure. Companies using the cloud must ensure proper access controls, encryption, and
monitoring to keep their data secure.
Real-Life Example: Uber Data Breach (2016 & 2022)

1. Introduction

Uber, the popular ride-hailing company, has faced multiple cloud security breaches due to poor
security practices and misconfigured cloud storage. In 2016, Uber suffered a massive data breach
exposing 57 million customer and driver records. In 2022, another attack compromised internal
systems, highlighting the importance of strong cloud security.

2. The 2016 Uber Data Breach

● Hackers gained access to Uber’s GitHub repositories, where they found AWS access
credentials hardcoded in the source code.

● Using these credentials, they accessed Uber’s AWS S3 storage, which contained personal
data of 57 million users and drivers.

● Instead of reporting the breach, Uber paid the hackers $100,000 to delete the data and keep
quiet, violating regulatory compliance.

● In 2018, Uber was fined $148 million for covering up the breach.

SecurityMistakes:
Hardcoding AWS credentials in the source code.
Not encrypting sensitive data in S3 storage.
Lack of access control policies on cloud storage.

3. The 2022 Uber Security Breach

● A hacker used social engineering (phishing) to trick an Uber employee into providing their
VPN credentials.
 ● The attacker bypassed multi-factor authentication (MFA) using an MFA fatigue attack
(sending multiple authentication requests until the user accepted one).

● Once inside, the hacker gained access to Uber’s internal cloud services, including Slack,
AWS, and Google Workspace.

● Sensitive company and customer data were exposed.

Security Mistakes:
Weak employee awareness of phishing and social engineering.
Lack of advanced MFA security measures.
Over-permissive cloud access policies.

4. Impact of Uber’s Breaches

● Massive Data Exposure: Millions of customer and driver records were leaked.

● Regulatory Fines: Uber was fined $148 million in 2018 and faced further investigations in
2022.

● Reputational Damage: Trust in Uber’s data security declined, affecting its business image.

● Legal Consequences: Uber’s Chief Security Officer (CSO) was convicted in 2022 for
covering up the 2016 breach.

5. How Uber Strengthened Its Cloud Security

Removed hardcoded credentials from source code and implemented secrets management tools.

Enforced strict IAM policies with least privilege access on AWS.

Mandated phishing-resistant MFA to prevent social engineering attacks.
Improved employee security training to detect and report phishing attempts.
Deployed real-time cloud monitoring to detect unusual login attempts and access patterns.

6. Lessons Learned from Uber’s Cloud Security Failures

Never store API keys or cloud credentials in code repositories.
Implement strong IAM controls and least privilege access policies.
Enforce advanced MFA methods like FIDO-based authentication to prevent MFA bypass attacks.
Train employees on phishing and social engineering risks.
Use cloud security monitoring tools to detect and prevent unauthorized access.

7. Conclusion

Uber’s breaches in 2016 and 2022 highlight the serious risks of weak cloud security. Businesses
must adopt strong access controls, advanced authentication, and security monitoring to prevent
similar attacks. Proactive security measures can help organizations protect their cloud
infrastructure and customer data from cyber threats.
Recent Example: Angel One Security Breach (February 2025)

1.Introduction
In February 2025, Angel One, a prominent Indian stock brokerage firm, experienced a security
breach involving its cloud infrastructure. This incident underscores the critical importance of
securing cloud environments to protect sensitive financial data.

2. Details of the Breach

● Compromised AWS Resources: Some of Angel One's Amazon Web Services (AWS)
resources were compromised, indicating potential vulnerabilities in their cloud configuration
or access controls.

● Immediate Response: Upon discovery, Angel One collaborated with an external forensic
partner to assess the breach's impact and promptly changed all affected credentials to mitigate
further risks.

3. Impact of the Breach

● Client Security: Angel One assured that clients' securities, funds, and credentials remained
secure, suggesting that the breach did not extend to customer assets.

● Market Reaction: Following the announcement, Angel One's shares declined by up to 4.7%,
reflecting investor concerns over the security incident.

4.BroaderContext
This breach is part of a series of security incidents targeting Indian companies, particularly in the
insurance sector. These events have prompted regulatory bodies to initiate industry-wide audits of
IT systems to enhance cybersecurity measures. Additionally, the Reserve Bank of India plans to
launch secure website domain names to combat phishing and other digital threats.
5. Lessons Learned

● Strengthening Cloud Security: Organizations must ensure robust security configurations

and access controls within their cloud environments to prevent unauthorized access.

● Proactive Monitoring: Continuous monitoring and regular security assessments are vital to
detect and address vulnerabilities promptly.

● Regulatory Compliance: Adhering to regulatory guidelines and participating in industry-

wide security audits can help identify and mitigate potential risks.

This incident highlights the necessity for financial institutions to implement comprehensive cloud
security strategies to protect sensitive data and maintain customer trust.
Recent Example: U.S. Treasury Department Cybersecurity Breach (December 2024)

1.Introduction
In December 2024, the United States Department of the Treasury experienced a significant
cybersecurity breach attributed to a state-sponsored actor from the People's Republic of China. This
incident highlights vulnerabilities associated with third-party cloud services and the importance of
robust cybersecurity measures.

2. Details of the Breach

● Third-Party Exploitation: The attackers targeted a cloud-based service provided by

Beyond Trust, a vendor offering remote support solutions to the Treasury Department. By
compromising an API key, the hackers gained unauthorized access to the department's
systems.

● Scope of Access: The breach allowed the attackers to access unclassified documents and
remotely control certain workstations within the Treasury Department.

3. Discovery and Response

● Detection: Beyond Trust detected unusual activity on December 2, 2024, and identified the
breach by December 8.

● Immediate Actions: Upon discovery, Beyond Trust revoked the compromised API key and
collaborated with the Treasury Department to mitigate the breach. The Treasury Department
 also engaged the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal
Bureau of Investigation (FBI) to investigate the incident.

4. Impact of the Breach

● Data Exposure: Unclassified documents were accessed, but there was no evidence
suggesting that classified information was compromised.

● Operational Disruptions: The breach necessitated a temporary shutdown of certain services

to contain the threat, potentially disrupting departmental operations.

5. Lessons Learned

● Third-Party Risk Management: Organizations must thoroughly assess and monitor the
security practices of third-party vendors to prevent similar breaches.

● API Security: Implementing stringent controls over API keys and regularly rotating them
can mitigate unauthorized access risks.

● Continuous Monitoring: Proactive monitoring of network activities is essential for the early
detection and response to security incidents.

6.Conclusion
The December 2024 breach of the U.S. Treasury Department underscores the critical need for
comprehensive cybersecurity strategies, especially concerning third-party service providers. By
enhancing third-party risk management, securing APIs, and maintaining vigilant monitoring,
organizations can better protect themselves against sophisticated cyber threats.