Over 750,000 applications for US birth certificates have been found exposed online thanks to a misconfigured cloud server.
UK security firm Fidus Information Security found the trove, which was left unsecured in an Amazon Web Services (AWS) bucket with no password protection.
The company in question hasn’t been named because it has yet to respond to attempts by the research team to notify it of the privacy snafu. It provides a service to US citizens allowing them to request copies of birth and death certificates from state governments.
As such, the data exposed is highly sensitive, including: applicant name; date of birth; home and email address; phone number; and other personal information such as previous addresses and names of family members.
That’s all information that would be highly valuable to potential scammers, to help commit identity fraud and craft convincing phishing emails to harvest even more sensitive information.
The identities of children are particularly highly sough after; because they have limited financial records associated with them it is easier for scammers to open new accounts in their name. Over one million US kids fell victim to identity fraud in 2017, resulting in losses of $2.6bn, according to Javelin Strategy & Research.
“Examples such as this show just how important it is for consumers to know precisely which companies are part of the software supply chain delivering any given service to them,” argued Synopsys senior principal consultant, Tim Mackey.
“That repeated contacts went unanswered is a clue that the company delivering this service likely is being operated using a high degree of automation and with a limited understanding of how valuable the data they interact with might be. Properly securing any data store is 101-level work, but we consistently see companies omitting this critical task from their ‘go-live’ checklist.”
Hackers are increasingly prepared to scan for exposed cloud data stores like the one publicized above. In 2019 there have been several incidents where databases have been stolen and ransomed, such as those belonging to Mexican bookstore Libreria Porrua.
Source: Infosecurity Magazine