As per Wired, an unprotected AWS (Amazon Webservices) S3 database containing personal and private information of British citizens was discovered by security researchers Noam Rotem and Ran Locar of the security firm vpnMentor. It included passport scans, tax documents job applications, background checks, expense forms, scanned contracts complete with signatures, salary information, emails and more.
Researchers found no security protection on this AWS database, also known as bucket, and thus were able to see all the files stored in it. The files contained a wide range of Personally Identifiable Information (PII), including names, addresses, phone numbers, dates of birth, gender, national insurance number–in short, everything that a threat actor requires to complete identity theft, fraud, or any cyberattack targeted towards the user or against him. “It’s everything you need to steal someone’s identity, to open a bank account in their name, or a lot of other malicious things,” say researchers.
Data found in the unprotected database dates as far back as 2011, but mostly from 2014 and 2015. This data has been collected and stored from multiple HR-related consultancy companies, the majority of which have already shut shop. vpnMentor contacted Amazon about this unsecured and in the wild AWS S3 database. Amazon responded promptly to secure it and made it offline.
Researchers came across this data while working on a web-mapping project that scans for data leaks. Rotem said, “We’re scanning large parts of the internet and trying to find data that is lying around within open databases that don’t require any hacking.”
A few months back the same pair of researchers had found another unprotected database run by an American-based communications company and bulk SMS services provider, TrueDialog. The leaky database, which hosted 604 GB of data, contained around one billion entries of TrueDialog’s customers exposed private text messages, millions of account usernames and passwords, years of information on TrueDialog’s business model, conversations with its customers, and account details.
In a separate incident, the same team of researchers found another unprotected database that exposed sensitive information of around 80 million households in the U.S. The unprotected server contained personal information about the U.S. nationals, including their full names, marital status, income bracket, age, and more. The researchers also discovered coded references to some information like title, gender, marital status, homeowner status, and dwelling type.