Data leakage via misconfigured Amazon storage buckets struck twice in the past few weeks.
In July, almost 14,000 documents detailing patient social security numbers and medical data – such as mental illness or cancer – was exposed in a misconfigured storage bucket owned by healthcare vendor Medico.
Weeks later, researchers reported on Tuesday, the Democratic Senatorial Campaign Committee leaked over 6 million email addresses when a file name “EmailExcludeClinton.csv” became available via misconfigured Amazon storage bucket. Data in that leak is suspected to include a list of people who had opted out or should otherwise be excluded from DSCC marketing emails.
Amazon S3 storage buckets have been low hanging fruit for breach hunters. In the two instances above, data was discovered by security researchers at Upguard.
“The digitization of every sphere of life has created a myriad of consequences that are just now coming to light. Healthcare, finance, and politics are among the major convergences of personal data being collected and used every day,” wrote UpGuard in a blog post Tuesday. It points out that this data is far from innocuous, and that organizations should have a higher respect for customer data.
“Unless steps are taken to better control the way in which data is gathered, concentrated, and processed, exposures of this kind will continue, and their scope and scale will increase,” UpGuard wrote.
Researchers behind the treasure-trove of leaked medical data said the discovery included 1.7 GB of PDFs, text files and images in a misconfigured Amazon S3 bucket owned by Medico, which provides billing and insurance data processing. Medico’s site claims they have processed over a million claims for at least 400 providers and 100 medical practices.
The exposed documents include insurance benefits, insurance claims, medical records and reports, legal documents for Medico clients, as well as internal business data for Medico itself – but in addition to a wave of highly personal medical records, patients’ financial and social security data was also exposed: “Much personally identifiable information (PII) for individuals whose medical business was processed by Medico is present in these documents, including bank account and routing numbers, insurance details, social security numbers (SSNs), and more,” UpGuard researchers said in July.
Researchers detected the exposed Amazon S3 bucket, titled “medicoar,” on June 20. After contacting Medico on June 21, the bucket was closed within hours: “This quick response and action greatly helps the individuals whose data is present in an exposure, and should serve as an example to any organization facing a breach,” researchers said.
Neither Medico nor UpGuard responded to questions about how long the bucket was exposed for, and whether it was accessed by anyone other than UpGuard.
Leaky Democrat Docs
As for the Democratic Senatorial Campaign Committee, UpGuard said it discovered an Amazon S3 storage bucket named “toclinton” on July 25. “This bucket was available to globally authenticated AWS users, one of the two public groups available in S3 permissions,” researchers wrote. In other words, the data was available to anyone with a free AWS account.
The most sensitive data was the file “EmailExcludeClinton.csv”, a 145MB comma-separated values file that contained over 6,235,397 lines, or 6.2 million email addresses. “
“The file ‘EmailExcludeClinton.csv’ was last modified on September 17, 2010. How the contents of the file fit into the timeline of Clinton’s career in politics is unknown from what is in this bucket, but it is certain that it predates her 2016 presidential bid by several years,” researchers noted.
In June 2017, UpGuard has previously reported almost 200 million voter profiles culled by Republican data broker Deep Root Analytics were left exposed on an Amazon S3 server.
“Organizations should treat their data with the same respect they give to the success it allows them to achieve,” UpGuard researchers said Tuesday.