In what is perhaps the largest data breach in Brazil in recent times, a hacker group known as John Carter has stolen over 80,000 users’ personal data from Banco Inter, one of Brazil’s biggest all-digital banks. The variety of stolen data is disturbing and ranges from emails and passwords, to personal documents and photos of checks. As Banco Inter hosts most of its data using AWS, this incident raises serious concerns about the security of data on the cloud.

So, what happened? On April 24, 2018, Brazilian tech magazine TecMundo received an email containing an 18-page manifesto from a hacker named “John,” along with a 40GB encrypted file which reportedly contained the personal data of over 300,000 people. John stated in the email that he had attempted to extort money from Banco Inter with intentions of covering up the attack. However, when the bank refused to pay up, John sent the manifesto and data to TecMundo.

TecMundo has so far confirmed that 81,609 users’ data has been breached, including the bank’s customers, employees, and executives. On April 30th, reports of this data being sold on the dark web started surfacing, and a group named John Carter—presumably connected to the same John who sent the manifesto—was offering all of Banco Inter’s stolen data for a price of 10 Bitcoin.

The manifesto lays out in complete technical detail how the hackers carried out the attack, as well as their motivations. It states that the Brazilian banking system is not ready for large-scale migration to the cloud, and the leaked data is proof of that concern. The group wants to prove that the problem is so vast that it should affect the credit rating of not just Banco Inter, but all companies in the fintech space. John Carter also states that Brazil’s Central Bank must update its policies and recommendations for any bank planning large-scale cloud adoption.

How did John Carter pull it off? TecMundo chose not to reveal in-depth technical details of the attack due to security concerns. However, it appears that the entire attack was made possible due to an employee error, after which the hackers were able to gain entry to the bank’s systems in August 2017. They next hacked one of the bank’s applications and gained entry to the cloud servers through Incapsula, a cloud-based application delivery system. Over the course of seven months, John Carter meticulously mined enormous amounts of data and extracted 40GB worth of valuable personal information.

Cloud service provider vs. cloud consumer: Who is responsible for cloud security?

In this situation, we look at a Platform-as-a-Service cloud computing model, where AWS (the cloud provider) provides a platform for the bank (the cloud consumer) to build and deploy their banking applications and services to their customers.

In such a model, both AWS and the bank have a shared responsibility in certain areas like application security and identity infrastructure. However, the bank is entirely responsible for defining user access policies and for data governance.

Undetected for seven months: Use stronger auditing to detect attacks

Banco Inter’s statement on the matter says that it has followed all applicable security regulations and is in compliance with required data protection practices. However, the fact remains that hackers were in the bank’s system for seven months, and were only discovered when they chose to reveal themselves.

From this we can guess that the bank’s auditing measures were not strong enough to capture the initial anomaly in user activity at the start of the hack, or the steady leak of data over several months. Organizations must take note and strengthen their access management, privileged user auditing, and data security policies, and should be on the constant lookout for anomalies in their network and user activity.

Log360: Audit physical, virtual, and cloud environments

Log360 provides end-to-end log management for your networks across physical, virtual, and cloud platforms. The solution’s various components, namely ADAudit Plus, EventLog Analyzer, and Cloud Security Plus, allow you to perform in-depth user auditing within your Active Directory environment, analyze activity across your on-premises network devices, and audit logs from your AWS and Azure cloud environments.