A variety of sensitive information has been there for the taking due to
an unsecured cloud storage container
Over 752,000
birth certificate applications have been exposed online by an unnamed company
that enables people to obtain copies of birth and death records from state
governments in the United States, TechCrunch reports. Needless to say, the exposed cache of
documents includes a variety of personal information.
The leak was
reported by Fidus Information Security, a company specializing in penetration testing. The applications were found on the Amazon Web
Services (AWS) cloud computing platform, sitting out in the open with no password
protection whatsoever. This means anyone who could guess the relatively simple
web address, including bad actors, could access the records.
Although the
application process varies from state to state, the ultimate goal is the same
– to allow people to acquire a copy of their records. These records
include sensitive personal information such as the name, date of birth, current
home address, email and phone number. On top of that, the applications also
include the names of family members, historical information such as past
addresses, or the reason behind applying for the documents.
The affected
cache included applications dating all the way back to 2017. The company that
runs the service added approximately 9,000 applications to the repository in a
single week. The authenticity of the data was verified by TechCrunch by
comparing them against public records.
As shocking
as this leak may look at first glance, it is not an isolated case. Over a
12-month span between June 2018 and May 2019, a total of 2.3 billion files were discovered exposed online due to
misconfigured or non-secured file storage and sharing technologies.
Organizations’ Amazon S3 buckets accounted for 8 percent of the total exposure.
On the other hand, AWS rolled out the ‘Block Public Access’ feature last year, which has mitigated the problem.
But it has not stopped the problem entirely.
Data leaks
from misconfigured public-facing file repositories may result in identity theft and fraud. Although this concrete case
occurred in the United States, it’s worth noting that these kinds of security
lapses may lead to stiff penalties under the European Union’s General Data Protection Regulation (GDPR).