An open Amazon Web Services S3 database held passport scans, tax documents, job applications and other sensitive personal details. It has now been taken offline by Amazon
Sensitive details including passports of thousands of Brits have been lazily left unsecured in Amazon's cloud for years – but it's unclear who's to blame.
Noam Rotem and Ran Locar are security researchers who are currently working on behalf of vpnMentor. Last September, they made headlines after spotting the personal details of most of Ecuador on an unsecured cloud server; a few months later, they spotted millions of private messages leaked in the same way by an American communications company. Now, it's the UK's turn.
This time around, Rotem and Locar uncovered an unsecured Amazon Web Services (AWS) S3 database, a so-called "bucket". With no security protection, the pair were able to see all of the files it held, which included thousands of scans of passports, tax documents, job applications, proof of address, background checks, expense forms, scanned contracts complete with signatures, salary information, emails and more.
The files contained a wide range of personally identifiable information, including names, addresses, phone numbers, dates of birth, gender, national insurance number – everything a criminal would need to complete identity theft or fraud, or for well-targeted attacks. "It's everything you'd need to steal someone's identity, to open a bank account in their name, or a lot of other malicious things," Rotem says.
There's a reason they keep finding this data: they're looking for it. At the moment, the pair are working on a web-mapping project scanning for data leaks. "The web-mapping project is somewhat of a hobby that I'm doing with a friend in my free time," Rotem says. "We're scanning large parts of the internet and trying to find data that is lying around within open databases that don't require any hacking to be available." They've found data from Fortune 500 companies and the Pentagon – and now thousands of Brits applying for jobs a few years back, it would seem.
The UK-related data they found went back as far as 2011, but most was from 2014 and 2015, and related to a range of HR-related consultancy companies, the majority of which are already out of business. However, the nature of the data means it could still be valuable to hackers. It has now been secured or taken offline by Amazon, after vpnMentor contacted the company.
There's no evidence that the data was discovered before Rotem and Locar, but there's little way of knowing. Plus, it's unclear which company was responsible for failing to secure the data — Amazon wouldn't reveal that — meaning there's no-one to report to the Information Commissioner's Office.
It's unclear from Rotem and Locar's research, or from the information supplied by vpnMentor, which company leaked the British HR data. It may be that the company in question has shut down, as several of the businesses mentioned in the database have been closed according to Companies House. It was labelled "CHS", and has since been secured or removed. "I don't know if they contacted the company and they did it, or if Amazon did it," Rotem says. The data breach was also reported to the National Cyber Security Centre (NCSC), though it took a month for the agency to respond – because, apparently, vpnMentor's email landed in the NCSC's junk mail folder.
None of this is the fault of Amazon, Rotem stresses. AWS has simple ways to secure S3 buckets, including simply setting them to private and adding authentication protocols for access. AWS S3 is secured by default, so making data publicly available takes steps by the account owner; AWS also shows clearly in the dashboard if data is open to the world. The as-yet-unknown owner of this particular sloppy bucket failed to take basic precautions. "Amazon is doing a lot to prevent this," he says. "But at the end of the day the client can decide to keep their systems open. And in this case, the client left everything lying around— you only needed a web browser, a regular web browser, to get all of this information."
That so much sensitive data could be left lying around for years may sound surprising, but Rotem says it's an everyday occurrence. "It's very common, much more common than you'd think," he says. Indeed, there are more cases than Rotem goes public with; he and his partner contact companies each week after finding such unprotected data, saying that he often chooses not to publish if the culprits genuinely try to fix the problem.
Amazon did not comment for this story, but Rotem claims AWS has been taking preventative measures. "They are alerting clients that the buckets where they store information is open and they need to review it, it's a security problem. People choose to ignore it – weird, but it happens," he says, suggesting authorities need to issue more fines to spur action. "It's probably a combination of ignorance and a lack of accountability – they simply don't care." If you don't want your company to be the next one outed by Rotem and Locar, lock down your buckets.