from Hacker News

I'm hoping to harness the collective wisdom of the HN community in pricing the below find. Company is a well-established SaaS provider and assumes the security burden of safely handling large, raw data extracts from the CRM, e-commerce, marketing, and ERP systems of its customers.

Data At Risk

The vulnerability exposed highly-sensitive data belonging to a single global Fortune 500 client. This included:

* a transaction-level feed of customer purchases * 360-degree lifetime customer value across each line of business * performance of marketing tactics and advertising channels used to drive purchasing habits * fine-grained details into the performance of focused market segments.

The dataset spans several years. It was preprocessed to remove PII/SPI and includes no information that could be used to tie purchase data back to an individual person.

The exposed information holds little to no value to the general public.

That said, it would be extremely valuable to related companies and the agencies working on their behalf. It is an extremely competitive industry with razor-thin margins. Even small improvements in the efficiency of customer acquisition and sales programs can move the needle.

Finally, an adversary can easily modify this data and the rules used during reporting - thereby skewing results and possibly resulting in large-scale misappropriation of marketing spend.

Control of Underlying Infrastructure

The vulnerability also exposed:

* unfettered access to scaling controls tied to the number and type of EC2 instances powering the underlying platform * method to place and subsequently execute malicious code on said instances

CVSS base score is a 9.4: http://bit.ly/328WOXl