Researcher reports that Fujitsu leaked customer data, AWS keys and passwords for nearly a year
Take action: It doesn't matter how big your company is. Everyone makes the same mistakes - data buckets are left unsecured. Responsible disclosure protocols are missing. It's about a lot of discipline and persistence, otherwise things fall through the cracks and onto the public internet.
Learn More
A security researcher reports that Fujitsu has been leaking private client data, AWS keys, and plaintext passwords on the public internet for nearly a year.
The breach was discovered by Jelle Ursem, a security researcher from the Dutch Institute for Vulnerability Disclosure (DIVD), who found a publicly accessible Microsoft Azure storage bucket named "fjbackup" from March 2022 to early 2023.
This bucket contained sensitive information, including thousands of emails from a full mailbox backup, detailed client activity, team information, and a CSV file with passwords extracted from LastPass.
Major organizations like Centrica and the Dutch water utility PWN, serving 1.7 million customers, were among those affected.
Ursem faced significant challenges in reporting the breach to Fujitsu, attributing the difficulty to the absence of a clear protocol for security disclosures at Fujitsu. It wasn't until Ursem utilized internal contacts that Fujitsu was made aware and took action to secure the exposed data.
The exposure's full impact remains unclear since no details are disclosed by Fujitsu.
This breach report follows the incident in which Fujitsu found malware on its business computers, potentially leading to the theft of files containing personal and customer-related information.
