French marketing firm publicly exposes sensitive data of over 12,000 clients

The latest big AWS S3 exposure comes close in the shadow of GDPR, the European Union's new privacy protection legislation.

Prominent French marketing firm Octoly accidentally publicly exposed an Amazon Web Services S3 cloud storage bucket containing sensitive information about the company’s IT operations as well as the firm’s thousands of clients, according to a report from the cybersecurity firm UpGuard.

Octoly, which just got a $10 million investment round, is a marketing firm that connects companies and influencers for native advertising opportunities in the popular and lucrative worlds of beauty and video game blogging. The firm works with Sephora, Dior, Yves Saint Laurent and Blizzard Entertainment as well as popular “influencers” on social media — i.e. people with a large following.

Over 12,000 Octoly clients had sensitive data exposed as a result of a misconfigured AWS account including real names, addresses, phone numbers, email addresses, birth dates and hashed user passwords for the individual influencers. On the brand side, Octoly’s analytics for each specific brand were publicly exposed as well.

“Octoly’s potential business damages as a result of this breach are also noteworthy,” UpGuard’s Dan O’Sullivan explained. “It is the presence of personally identifiable information for individuals across Europe – from Octoly’s home country of France, ranging beyond to Germany, Spain, and the UK – that calls to mind the European Union’s General Data Protection Regulation (GDPR), a strict set of requirements for security and privacy that will come into effect in May 2018.”


GDPR is new data protection legislation in the European Union that can levy fines of up to €20 million or 4 percent of global annual revenue for companies that fail to comply.

Most of the victims of this incident are women, according to UpGuard. Given the sensitive nature of the exposed data, UpGuard researchers raised the specter of harassment and “swatting” attacks against any of the over 12,000 victims.

The S3 cloud storage bucket exposure was discovered Jan. 4 and secured on Feb. 1.

“An internal restructuring unfortunately exposed us to a data security issue,” Annie Nguyen, Octoly’s Head of Corporate Communications said. “We want to assure our community that the necessary steps were taken to resolve it. We truly value our members and their security is important to us.”

Update: Added Octoly’s comment.

Latest Podcasts