The records and personal information of millions of Time Warner Cable subscribers were left exposed online in an unsecured cloud repository by a third party company, security researchers recently discovered.

The information was found in two databases operated by third-party vendor BroadSoft, a global communication software and service provider. The trove of Time Warner Cable customer information totaled more than 600 gigabytes of total files.

Contained within the databases were a number of personally identifiable pieces of information that could affect Time Warner Cable subscribers. The database listed usernames, email addresses, media access control (MAC) addresses, device serial numbers and financial transaction numbers.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

“As leaks caused by unsecured or misconfigured public cloud resources continue to occur, it’s worthwhile to explore the reasons why,” Varun Badhwar, CEO and co-founder of cloud security company RedLock, told International Business Times.

“Just as most organizations have adopted advanced threat defense solutions for their on-premise networks, they should also consider implementing solutions that provide advanced threat defense for the cloud. But the reality is this is not happening for the majority of organizations.”

While Social Security numbers and credit card information does not appear to have been exposed in either of the databases, there is still a cause for concern given the amount of contact and location information that was publicly available.

The databases also contained information that appeared to pertain to BroadSoft’s operations, including SQL database dumps, access logs and code that appeared to contain the credentials to external systems—an exposure that may put additional information and systems controlled by BroadSoft at risk.

One database also contained closed circuit television footage of what is believed to be one of BroadSoft’s facilities located in Bengaluru, India.

Kromtech Security Center made the discovery of the databases and noted the repositories could be accessed by anyone who knew or found the URL. An “authenticated user” could also download the full collection of files, including customer information.

Much of the customer information appeared to come from the MyTWC app, a mobile application that allows customers to pay their pill, upgrade services, access voicemail, see channel listings and adjust Wi-Fi settings from their mobile device. According to Kromtech’s security researchers, the customer information dates as far back as 2010 and contained records as recent of July 7, 2017.

“We see more and more examples of how bad actors use leaked or hacked data for a range of crimes or other unethical purposes,” Bob Diachenko, Kromtech’s chief communications officer, said in a statement.

“In this case engineers accidentally leaked not only customer and partner data but also internal credentials that criminals could have easily used to monitor or access company’s network and infrastructure.”

This is far from the first instance in which a misconfigured cloud repository resulted sensitive information being left exposed and publicly accessible. Around the same time the BroadSoft repository was discovered, a collection of resumes belonging to military veterans and intelligence experts was also discovered in an unsecured database.

Earlier this year, Down Jones—the publisher of the Wall Street Journal— fell victim to a similar error that exposed sensitive personal and financial details of millions of its customers.

14 million customer records from Verizon, including account PINs, were exposed by a third-party company in July. Personal information of more than three million WWE wrestling fans was also discovered in an exposed database the same month.

According to Badhwar, the RedLock Cloud Security Intelligence research team found 40 percent of organizations have public cloud storage resources exposed to the public. They also found 82 percent of databases in public cloud environments are not encrypted and 31 percent are open to the internet.