%20(3)-1.png?quality=high&width=1900&height=1250&name=CSS%20-%20Blog%20(Featured%20Images)%20(3)-1.png)
%20(1).png?width=2000&height=1125&name=CSS%20-%20Blog%20(Featured%20Images)%20(1).png)
%20(1920%20x%201080%20px)%20(8)-2.png?width=820&height=547&name=Copy%20of%20Blue%20White%20Gradient%20Modern%20Professional%20Business%20General%20LinkedIn%20Banner%20(750%20x%20750%20px)%20(1920%20x%201080%20px)%20(8)-2.png)
Cloud Growth and Escalating Risk
Cloud computing has reshaped how organizations store, manage, and secure information. The global public cloud market has accelerated from roughly one hundred fifty six billion dollars in 2020 to projections in the hundreds of billions of dollars for 2025, with some estimates approaching nine hundred billion dollars in total cloud spend.
At the same time, overall data volume continues to increase. Industry analysts expect that more than one hundred zettabytes of information will reside in cloud infrastructure by the end of 2025. That would account for a significant share of global digital data.
As more data moves to the cloud, the risk surface changes. Applications, workflows, and regulated data are distributed across multiple accounts, regions, and services. Each storage location such as an Amazon S3 bucket, an EBS snapshot, or an EFS file system has its own configuration model. A single misconfiguration can expose internal information at scale.
Casmer Labs Cloud Storage Exposure Trends
Casmer Labs is the internal threat research team within Cloud Storage Security. Throughout 2025 Casmer Labs has continued to observe that misconfigured cloud storage remains one of the most common causes of large scale data exposure events. In most cases the cause is not a direct exploit. It is human error, lack of continuous visibility, or limited activity monitoring. The result is that sensitive data in cloud storage becomes publicly accessible without the organization realizing it.
Navy Federal Credit Union Exposure
On September 2 and September 3 2025 researchers publicly reported that Navy Federal Credit Union, the largest credit union in the United States, had internal backup files exposed in an unsecured Amazon S3 bucket. Navy Federal Credit Union primarily serves United States military members, veterans, and their families.
The exposed data set was described as roughly three hundred seventy eight gigabytes of internal backup data stored in an Amazon S3 bucket that was publicly accessible and not protected with a password.
According to reporting based on the findings of the disclosing researcher the backup contained
-
Usernames and internal email addresses
-
Hashed passwords and keys
-
Encryption keys and connection details
-
Internal documents including operational runbooks, financial performance metrics, rate structures, product tiers, and internal Tableau workbooks
-
System logs and business logic such as workflow code and optimization processes
Investigators and Navy Federal Credit Union both stated that no member data such as unredacted personally identifiable information or account level financial data was observed in plain text within the exposed files. Navy Federal Credit Union stated that the issue involved a vendor system and that access was removed after contact.
Even without direct member account data, the exposed information still represents risk. Internal usernames, email formats, process documents, system references, and operational playbooks give an attacker credible detail. That detail can be reused in targeted phishing and social engineering. An attacker can impersonate internal staff, cite real internal systems by name, and request credentials or multifactor codes in a way that appears legitimate.
This incident is part of a continuing pattern across financial services in 2025. Misconfigured Amazon S3 buckets, unsecured backup archives, and open object storage have led to exposure of sensitive internal information. In each case the common factor is that cloud storage was publicly readable when it should not have been.
Recommended Actions for Individuals
If you are a member or customer who is notified that internal data at a financial institution was exposed, standard recommendations include
-
Change passwords on any related accounts and avoid password reuse across financial services
-
Enable multifactor authentication wherever possible
-
Watch for phishing or social engineering attempts that reference specific internal system names, ticket numbers, or internal style terminology
-
Review recent account activity for suspicious logins or transactions
These steps are intended to reduce downstream fraud risk.
Recommended Actions for Organizations
The Navy Federal Credit Union exposure reinforces the need to treat cloud storage as a first class security surface, not a secondary concern behind applications and endpoints. The following controls are widely recommended
- Restrict public access and secure storage
Enforce Amazon S3 Block Public Access at the account and bucket level unless there is a documented time bound exception with a named owner. Review bucket policies, access control lists, and identity and access management permissions that allow read access to any principal. Treat public access to storage as an exception state, not a normal state.
- Monitor and audit activity in storage
Capture and review object level access logs for high risk storage locations. Alert on bulk listing, large transfers, or unusual read activity from unfamiliar identities. Early visibility into large data pulls helps identify data exfiltration attempts and insider misuse.
- Encrypt data in storage and in transit
Use server side encryption for all cloud object storage. Manage encryption keys using a controlled key management service. Apply transport encryption for data movement between storage and consuming services. Encryption does not solve exposure by itself but it limits how useful exposed data will be.
- Automate posture checks
Continuously scan cloud storage for misconfigurations such as publicly accessible S3 buckets, overly permissive access control lists, broad cross account access, insecure snapshots, missing logging, and missing encryption. Automated alerting reduces reliance on manual review and helps catch configuration drift. Continuous posture assessment is a core principle of data security posture management for cloud storage, sometimes called DSPM for cloud storage.
- Perform ongoing security assessments
Conduct routine configuration reviews, tabletop exercises, and data handling audits. Include storage locations owned or managed by vendors, contractors, and integration partners, not only internal accounts. Require remediation timelines for exposed buckets and unsecured backups.
- Educate staff on data handling
Train technical and operations teams on expected storage controls. Reinforce that temporary or test storage is still subject to security policy. Many public exposures begin with a bucket or backup that was assumed to be internal only.
DataDefender Addressing Cloud Storage Risk
DataDefender by Cloud Storage Security is designed to help security and compliance teams govern cloud storage at scale. DataDefender focuses on activity monitoring and data security posture management for cloud storage.
DataDefender provides
- Continuous inventory of storage
DataDefender maintains a live inventory of storage resources across connected AWS accounts. This includes Amazon S3, EBS snapshots, EFS file systems, FSx file systems, and Glacier vaults. The inventory captures owner, business purpose, exposure status, encryption state, recent activity, and other metadata. This helps security teams answer what storage exists, who owns it, and how it is exposed.
- Sensitive data discovery and classification
DataDefender identifies storage locations that contain sensitive or regulated data, including internal operational documents, financial records, credentials, or personal data. That classification allows teams to prioritize high risk locations for immediate review and access reduction.
- Activity monitoring and anomaly detection
DataDefender records which identities accessed which objects and when. It highlights unusual activity in storage such as large transfers, mass listing, or access by unfamiliar principals. This supports investigation of data exfiltration, insider misuse, or ransomware staging at the storage layer.
- Continuous posture evaluation
DataDefender continuously evaluates storage posture. It checks for publicly accessible S3 buckets, permissive access control lists, broad cross account access, insecure or unencrypted snapshots, missing logging, weak retention settings, and lack of immutability. The objective is to surface misconfigurations before they become public exposures.
- Audit ready evidence
DataDefender links actor, time, object, and configuration state. During an incident this enables teams to show when a storage resource became exposed, who accessed which objects, and when access was removed. That level of evidence supports legal review, customer notification decisions, and regulatory response.
DataDefender performs more than ninety automated storage security checks across multiple AWS storage services and prioritizes findings by severity so that issues such as publicly accessible Amazon S3 buckets and broadly shared snapshots are addressed first.
Summary
Public cloud adoption continues to scale, and so does the amount of sensitive operational data stored in cloud object storage. The Navy Federal Credit Union exposure shows that even when plain text customer data is not exposed, internal backup data in a publicly accessible Amazon S3 bucket can still create real risk. The exposed material included usernames, internal email addresses, hashed passwords, keys, internal financial performance metrics, and operational documentation.
Attackers actively scan for misconfigured storage. Tools that identify open S3 buckets and unsecured backups are widely available. Once internal data is exposed, it can be repurposed for phishing, credential theft, social engineering, and follow on intrusion.
Organizations should assume that cloud storage is a primary attack surface. Continuous inventory, sensitive data classification, activity monitoring, posture assessment, and evidence collection are now baseline requirements for cloud storage security. This is the focus area addressed by DataDefender.
👉 Get Started with DataDefender on AWS Marketplace and ensure your most valuable data is continuously monitored, protected, and secured.
Share:
%20(1920%20x%201080%20px)%20(9).png?width=387&height=258&name=Copy%20of%20Blue%20White%20Gradient%20Modern%20Professional%20Business%20General%20LinkedIn%20Banner%20(750%20x%20750%20px)%20(1920%20x%201080%20px)%20(9).png)
