A third-party government supplier has exposed hundreds of thousands of applications containing birth-certificate data.
The trove of information is owned by a company that provides an online platform to state governments – including California, New York and Texas – that allows residents to request copies of vital records. Fidus Information Security found the database hosted in an Amazon Web Services (AWS) storage bucket that was left open to the internet.
The bucket contained more than 752,000 applications, with names, addresses, email, phone numbers, family member info, dates of birth and the reason for making the application.
According to TechCrunch, which verified the data, the bucket is still open – and updates daily. In one week, it added 9,000 applications to the database. The owner didn’t respond to multiple contact efforts; Amazon said that it would notify the owner, but no action has been taken, according to Fidus. For that reason, the company has not been named.
“That repeated contacts went unanswered is a clue that the company delivering this service likely is being operated using a high degree of automation and with a limited understanding of how valuable the data they interact with might be,” said Tim Mackey, principal security strategist, Synopsys CyRC, via email. “Properly securing any data store is 101 level work, but we consistently see companies omitting this critical task from their ‘go-live’ checklist.”
This is only the latest incident of data being left exposed via a cloud misconfiguration. Last week, it was revealed that hundreds of thousands of mobile phone bills for AT&T, Verizon and T-Mobile subscribers had been laid open to anyone with an internet connection, thanks to the oversight of a contractor working with Sprint.
According to a media investigation, the contractor misconfigured a cloud storage bucket on Amazon Web Services (AWS), in which more than 261,300 documents were stored – mainly cell phone bills from Sprint customers who switched from other carriers.
Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.