Fujitsu exposed client data, AWS keys and passwords for nearly a year, report

Unanswered questions about how many unauthorised parties may have accessed the sensitive information

Fujitsu, the multinational IT services provider, inadvertently exposed private client data, AWS keys and plaintext passwords to the public internet for almost a year.

The breach was discovered by security researcher Jelle Ursem from the Dutch Institute for Vulnerability Disclosure (DIVD), who stumbled upon a publicly accessible Microsoft Azure storage bucket named "fjbackup."

The exposed bucket, which remained accessible from March 2022 to early 2023, contained a trove of sensitive information, including a full mailbox backup holding thousands of emails, extensive client activity details and team information.

Most alarmingly, it also contained a CSV file containing passwords extracted from the popular password manager LastPass.

Among the affected entities were major organisations like Centrica and Dutch water utility PWN, which serves 1.7 million customers.

Ursem made efforts to notify Fujitsu about the breach, but said he encountered significant challenges in reaching someone who would address the issue promptly.

Fujitsu lacked a clear protocol for security disclosures, making it difficult for Ursem to alert them about the potential risks posed by the exposed data. It was only through internal contacts that Ursem managed to disclose the breach, prompting Fujitsu to take down the compromised bucket.

The full extent of the exposure remains unclear, leaving unanswered questions about how many unauthorised parties may have accessed the sensitive information during the period it was exposed.

Ursem expressed concerns about the broader cybersecurity posture of organisations, highlighting the alarming frequency of such exposures.

"This is not an indicator of a very good posture regarding the current state of their cybersecurity," he told The Stack.

"How can you even fight against people that will export your LastPass vault and dump it into a public bucket?"

Fujitsu, a key player in the IT services industry, has a client base that includes government agencies and major corporations. The company's diverse portfolio encompasses computing products, telecommunications equipment, software, cloud solutions and IT consulting.

Commenting on the latest revelation, Chris Denbigh-White, chief security officer at NextDLP said: "The recent revelation follows closely on the heels of reports from two days ago indicating that Fujitsu fell victim to a cyber attack, resulting in the compromise of several of its IT assets.

"While it remains premature to speculate on any potential connection between the two incidents, one fact is unequivocal: perpetrating a cyber attack on an organisation becomes considerably more feasible when assailants possess full administrative passwords and detailed insights into the victim's network topology. Such information represents a coveted asset for both malicious actors and penetration testers alike, substantially streamlining their endeavours.

"Undoubtedly, Fujitsu will incorporate this development into their ever expanding compendium of 'lessons learned'.

"This incident underscores the necessity for data protection technologies to safeguard organisations not only from external threats but also from their own inadvertent vulnerabilities."

Fujistu last week disclosed a hacking incident in which unspecified client data was stolen.

The company said it found malware on its business computers, which could have led to the unauthorised removal of files containing personal and customer-related information.

"We confirmed the presence of malware on several of our company's work computers, and as a result of an internal investigation, we discovered that files containing personal information and customer information could be illegally taken out," Fujitsu said in an update on its website.

"After confirming the presence of malware, we immediately disconnected the affected business computers and took other measures such as strengthening monitoring of other business computers. Additionally, we are currently continuing to investigate the circumstances surrounding the malware's intrusion and whether information has been leaked."

The company has informed the Personal Information Protection Commission about the breach and is in the process of preparing individual notices for affected customers.

This isn't the first time Fujitsu has faced cybersecurity challenges. In May 2021, the company's ProjectWEB information-sharing tool was exploited by hackers to breach multiple Japanese government agencies. The breach resulted in the unauthorised access and theft of 76,000 email addresses and proprietary data.