Data breach hits four million Time Warner app users

Sensitive information about more than four million users of an app created by Time Warner Cable has been accidentally exposed online.

Security company Kromtech found 600GB of unprotected data on an Amazon server last month.

User names, account numbers and other details were discovered.

In a separate accident, files on thousands of Americans with high level security clearances were found on an unsecured Amazon server.

In a blog, Kromtech said, external the data it had found was about users of Time Warner Cable's MyTWC app, which lets customers manage their account via a smartphone or tablet.

Charter Communications, the parent company of Time Warner Cable, said users' financial information had not been exposed and the data largely concerned former or "legacy" customers.

The information had been removed as soon as the company had been told it was visible, Charter told Reuters.

The company said its early analysis suggested the information belonged to Broadsoft - which developed the MyTWC app.

In a statement, Broadsoft said no bank, credit card or other personal data about end users was exposed in the breach. Nor, it said, were any of its core systems left open to scrutiny.

It said: "As soon as we recognised the exposure, we immediately began to resecure the information.

"We continue to work closely with our customers to ensure the privacy of their data and to assure them that their information and that of their end-users is secure," it added.

The other breach was uncovered by technology news website Gizmodo, external, which found information on sensitive government workers employed by security company TigerSwan.

It found more than 9,400 documents revealing "extraordinary details" about people who had worked for the US Department of Defense and its intelligence agencies.

Also in the exposed data was information about people in Iraq and Afghanistan who had worked with the US military.

Security company Upguard, which worked with Gizmodo to analyse the leak, said many people, external could be "endangered" if the information uncovered was widely shared.

In response, TigerSwan said, external it took information security "very seriously", found the exposure "inexcusable" and planned to investigate how the data came to be publicly exposed.

It added: "The situation is rectified, and we have initiated steps to inform the individuals affected by this breach."

This year has seen a series of breaches involving data uploaded to Amazon's AWS and cloud services.

Verizon, Dow Jones, voting machine maker ES&S and the World Wrestling Entertainment (WWE) have all had data released this way.

This month, Amazon released a software tool called Macie that automatically scans servers to make sure data is not being inadvertently exposed.

In addition, last month Amazon started sending warnings to its AWS users if it found they had uploaded data that anyone could see.

Independent security expert Graham Cluley said the problem had a "fundamentally human" cause.

"On each occasion, it boils down to some noodle-brain unwisely opening up their data buckets to all and sundry, making their contents publicly visible," he said.

Shutting off access might not end the sharing of sensitive data, he said.

"Even if companies realise they've accidentally published sensitive data via Amazon and locked up their data buckets, there is always the risk that Google has already indexed and cached the information," Mr Cluley said.