An error by Dow Jones & Co. in configuring a cloud-computing service left addresses and other information about subscribers to some of its products, including The Wall Street Journal, exposed to possible unauthorized access.
About 2.2 million subscribers’ records were affected, a Dow Jones spokesman said. Some of the records included customer names, usernames, email and physical addresses, and the last 4 digits of credit-card numbers, although some records were missing parts of that information, the spokesman said.
The exposed data was discovered by UpGuard Inc., a cybersecurity firm, which said they notified Dow Jones of the leak on June 5.
“We immediately remedied the situation and have no reason to believe that any data was taken,” said the Dow Jones spokesman, who said the exposed data didn’t include passwords. He declined to say whether the company planned to notify affected customers. The data “did not include full credit-card or account-login information that could pose a significant risk for consumers or require notification,” he said.
In addition to the subscriber information, the data also included information relating to Dow Jones’s Risk & Compliance service, which helps companies follow international regulations, the spokesman said. According to UpGuard, this database contained information on 1.6 million people and entities. Dow Jones said that this data is taken from publicly available sources, but didn’t confirm the number of entries in the database.
The episode is one of a series of inadvertent leaks on cloud-computing systems by companies as they move more of their data from servers that they operate themselves to those managed by Amazon and others.
On Wednesday, for example, Verizon said one of its vendors had inadvertently exposed data on about 6 million customers under circumstances similar to the Dow Jones incident. In a statement, Verizon said that it had confirmed that there was “no loss or theft of Verizon or Verizon customer information” as a result of the incident.
In both the Dow Jones and Verizon cases, administrators had misconfigured their Amazon cloud storage servers, UpGuard said. In Dow Jones’ case, the data was visible to anyone with an Amazon Web Services account, said Chris Vickery, a researcher with UpGuard, which also discovered the Verizon incident. UpGuard uses software tools that guess the internet addresses of exposed data to raise awareness about cyberrisk issues, the company said. The company sells software and services that help companies detect this type of configuration problem.
An Amazon spokeswoman said that its cloud-storage service is configured by default to only be accessible to the account owners. “Well over a million customers continue to use Amazon S3 safely and securely,” she said.
Software developers sometimes change the settings to speed up performance or make collaboration within a company easier, Mr. Vickery said. This type of accidental exposure is “more common than the public realizes,” he said.
Write to Robert McMillan at Robert.Mcmillan@wsj.com