Thomson Reuters notifies customers of exposed server with unprotected business data

Thomson Reuters said it has notified a “small subset of customers” of a misconfigured server after researchers discovered 3 TB of data in an exposed cloud database.

A spokesperson for the company told The Record the issue involved an ElasticSearch server used with their ONESOURCE Global Trade product — a tool the media conglomerate markets to Fortune 500 businesses as a global trade compliance platform. Businesses use the product to get information about regulatory rules in different countries and other information about the supply chain ecosystem around the world. 

According to the spokesperson, the server contained logs of customers' searches on the platform.

“We have proactively notified the small subset of customers who may have had data logged on that server. We have also addressed and mitigated the misconfiguration," they said. "The majority of the customers are based in the USA."

Thomson Reuters confirmed that it was alerted to the misconfigured servers by Cybernews, a cybersecurity research organization, which found they had been left accessible since October 21. The company published a report saying their researchers found three databases accessible to anyone, one of which had “a trove of sensitive, up-to-date information from across the company’s platforms.”

Both Thomson Reuters and Cybernews said the issue was quickly addressed after it was discovered.

Cybernews said evidence from the server showed that the open instance “was used as a logging server to collect vast amounts of data gathered through user-client interaction,” with some data samples logged as recently as October 26. 

“In other words, the company collected and exposed thousands of gigabytes of data that Cybernews researchers believe would be worth millions of dollars on underground criminal forums because of the potential access it could give to other systems,” the researchers said. Among the cache were "credentials to third-party servers."

"The details were held in plaintext format, visible to anyone crawling through the open instance... This type of information would allow threat actors to gain an initial foothold in the systems used by companies working with Thomson Reuters," they wrote.

The Thomson Reuters spokesperson said an investigation was launched as soon as Cybernews notified them of the issue.

“We appreciate the work of the ethical security researchers who brought this matter to our attention,” they said. 

Laminar CEO Amit Shaked explained that unsecured ElasticSearch databases are extremely common and can affect nearly any company – leading to potential exposure of important information.

Because cloud hosting solutions often fall on the outskirts of data and security teams' visibility range, Shaked said the incident is another reminder for security teams to make sure they know where sensitive data is held, especially in cloud-based environments. 

Jerrod Piker, competitive intelligence analyst at cybersecurity firm Deep Instinct, added that the exposure of third-party credentials in plaintext was a concerning aspect of the leak, creating risk for Thomson Reuters and its customers. 

“Because of the inherent trust that business partners place in each other, this is a very alarming discovery to say the least,” Piker said. 

Dan Vasile, former vice president of information security at Paramount, tied the incident with Thomson Reuters to the cyberattacks faced by other news outlets like The New York Post and Fast Company, noting that media companies are typically targeted for the vast amount of data they have access to. 

“Generally speaking, large media organizations have structured cyber security programs in place. However, the sector has been evolving over the years, expanding content production and distribution by both traditional and new means, adopting new technologies, and that has created a more distributed and fragmented third-party ecosystem,” said Vasile, who now is now a vice president at cybersecurity firm BlueVoyant. 

“In addition, as companies’ internal networks become more well-defended, often a member of their digital supply chain, like a vendor or supplier, is the weak link. Our own recent research on the media industry found security weaknesses and vulnerabilities across a number of vendors that support the media industry, suggesting that, as an industry, media faces significant cybersecurity challenges.” 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.