An unsecured Amazon Web Services database has exposed thousands of British passports, visible in scans. In addition, tax documents and job applications were also visible. It’s not yet clear who left the database exposed.
Two security researchers, Noam Rotem and Ran Locar, discovered the flaw while working for vpnMentor. The AWS S3 bucket was freely accessible; apart from passports, job applications and tax documents, also background checks, addresses, expense forms, and scanned contracts were freely accessible. This means that everything was visible from signatures to e-mail adresses and so on.
The personal information in the documents, including names, phone numbers, birth dates, gender, insurance numbers, etc., could have been used for fraud or identity theft. “It’s everything you’d need to steal someone’s identity, to open a bank account in their name, or a lot of other malicious things,” Rotem says about the data.
In any case, there is no evidence that the data was stolen and/or used by any third parties. On the other hand, however, there is no easy way to find that out. In addition, Amazon did not disclose the company that failed to secure the bucket, so there is no one to report. This also means that the security flaw was not AWS’s fault, as the mysterious company in question is to blame.
The data that was found went back to 2011, but most of it came from 2014 and 2015. The information was related to a number of HR-related consultancy firms, but the majority is now out of business. Of course, this kind of data can still be valuable to hackers as it’s identity-related. The bucket, in the meantime, has been secured or taken offline by Amazon, as vpnMentor contacted the company with the bad news.