> ...a company entrusted with so many sensitive logins should absolutely be encrypting that information.
> “If they are hosting customer data on a third-party system like Amazon, it better damn well be encrypted,” Weaver said. “If they are telling people to reset credentials, that means it was not encrypted. So mistake number one is leaving Amazon credentials in your Git archive. Mistake number two is using S3 without using encryption on top of it. The former is bad but forgivable, but the latter given their business is unforgivable.”
The penalties for gross negligence are not high enough. These guys should be sued into oblivion; I hope their insurance limits are high enough.
It probably was, but Amazon's bucket checkbox encryption doesn't protect against an authorized user reading the data.
It's trivially easy to encrypt things on AWS, but the attack you're protecting against is someone walking off with the HD, which is not really the important threat. Well, that and making sure that the auditor can check off 'encrypted at rest' on the sheet.
> “If they are hosting customer data on a third-party system like Amazon, it better damn well be encrypted,” Weaver said. “If they are telling people to reset credentials, that means it was not encrypted. So mistake number one is leaving Amazon credentials in your Git archive. Mistake number two is using S3 without using encryption on top of it. The former is bad but forgivable, but the latter given their business is unforgivable.”
The penalties for gross negligence are not high enough. These guys should be sued into oblivion; I hope their insurance limits are high enough.