Security researchers discovered more than 3.2 million sensitive records exposed through misconfigured cloud storage buckets and databases in 2024, according to a study released Tuesday by cybersecurity firm Upguard.
The research examined 50,000 organizations using Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Researchers identified 2,847 publicly accessible databases and storage containers containing customer data, employee records, and intellectual property.
Common Vulnerabilities
Incorrect access controls accounted for 72 percent of exposures, allowing unauthenticated users to view or download sensitive data. Other common issues included disabled encryption, exposed API keys, and misconfigured network security groups.
"Most exposures result from simple configuration mistakes, not sophisticated attacks," said Mike Baukes, Upguard's co-founder. "Organizations move workloads to the cloud faster than they can secure them properly."
Financial services companies and healthcare organizations accounted for 41 percent of exposures despite having more mature security programs. Researchers attributed this to the volume and complexity of cloud deployments in these sectors.
Industry Response
Major cloud providers offer free security scanning tools and automated remediation for common misconfigurations. AWS enabled default encryption for new storage buckets last year. Azure and Google Cloud followed with similar changes.
Security experts recommend organizations implement cloud security posture management tools that continuously monitor configurations and alert teams to potential exposures. Leading CSPM vendors include Palo Alto Networks, Wiz, and Orca Security.
Regulatory Implications
Federal regulators are scrutinizing cloud security practices more closely following high-profile breaches. The Securities and Exchange Commission proposed rules last year requiring public companies to disclose cybersecurity governance and risk management processes.
State privacy laws including California's CCPA and Virginia's CDPA require organizations to implement reasonable security measures protecting consumer data. Regulators have cited cloud misconfigurations as evidence of inadequate security controls in enforcement actions.
The Federal Trade Commission settled with three companies in 2024 over cloud security failures that exposed customer data. Settlements required security audits, employee training, and third-party assessments.