Amazon Web Services made significant changes to its data deletion process in response to a security risk flagged by Apple, as revealed in an internal document obtained by Business Insider. Apple noticed abnormal activity surrounding data and content linked to its closed cloud accounts on AWS earlier in 2023, prompting them to approach AWS with concerns about potential data retention past the 90-day account closure policy. A subsequent AWS investigation unearthed nearly 2,000 pieces of content or metadata connected to these terminated Apple accounts that had not been deleted as required, dating back to an account shut down in October 2020.
Although there was no unauthorized access to Apple’s data, AWS acknowledged that its data deletion mechanisms had malfunctioned for some services, leading to data bypassing deletions for certain accounts. The incident highlighted the need for clearer guidance on end-to-end data deletion and the appointment of a senior executive responsible for data deletion remediation within AWS. While the internal document did not explicitly name Apple, a separate email referenced a customer named “Fruitstand,” an internal codename for Apple, further indicating the involvement of the tech giant in the security issue.
The incident shed light on the challenges cloud providers face in fully deleting data tied to terminated accounts. Customer data spread across multiple servers globally, often backed up in various data centers, can complicate the process of ensuring timely and complete data deletion. The risk of exposed or exploited data from abandoned accounts poses a significant concern, underscoring the importance of robust data deletion practices in cloud services. Experts emphasized the need for cloud providers to offer customers control over their data, including tracking, retention, and deletion.
In response to the incident, AWS implemented several recommendations to enhance its data deletion process, including improved tracking mechanisms, clear guidelines, periodic reviews, and the introduction of automated auditing for data deletion compliance across all services. Despite these measures, challenges remain in achieving complete data deletion, necessitating further investments in detecting and ensuring data deletion throughout the AWS environment. AWS spokesperson Patrick Neighorn assured that AWS continuously audits service compliance and promptly addresses any issues to uphold data deletion standards.
The incident highlighted the critical nature of data security, particularly for cloud providers like AWS, which have become prime targets for cyberattacks. As more organizations and government entities embrace cloud infrastructure, robust security measures and data protection practices are essential to safeguard sensitive information. The partnership between major cloud providers and their customers underscores the shared responsibility in ensuring data security and privacy in the digital age.
Article Source
https://www.businessinsider.com/apple-alerted-amazon-potential-cloud-security-risk-aws-2024-6