Unsecured AWS S3 servers are a growing concern for organizations.
Unsecured AWS S3 servers are a growing concern for organizations.

In what has become a familiar and troubling refrain, an unsecured Amazon Web Services S3 storage bucket that allows public access, reportedly has leaked sensitive information, including credit card numbers, credit reports from the three major reporting agencies, bank account numbers and Social Security numbers. This time, the organization in the crosshairs is credit repair service, National Credit Federation.

The exposed data -- a whopping 111 GB worth – allegedly affects tens of thousands of consumers.  

UpGuard Director of Cyber Risk Research Chris Vickery discovered the bucket.

Of the 47,000 files in a “crm-mvp” subdomain, most were PDF and text documents with sensitive data on NCF customers.

“The files appear to have been compiled during the process National Credit Federation customers go through with the firm, as described on the company's website: initially, discussion with NCF representatives about the customer's financial situation, followed by disputes of customer credit report items with the aim of improving the customer's credit score,” according to an UpGuard blog post. “As such, three general pools of data live in the exposed repository: documents submitted by customers to NCF providing their personal and financial details, ‘personalized credit blueprints' and videos created by NCF for their customers, and customer credit reports from Equifax, Experian, and TransUnion - the ‘big three' credit reporting agencies.”

The "graver exposures" include photographs and scans of Social Security cards that "reveal full customer Social Security numbers, while other submitted documents contain full customer bank account and credit card numbers," the post noted, adding that the data could be used by malicious actors for identity theft and compromising NCF customers' personal finances. 

"This leak is yet another example of an organization that is in the dark about where its critical data is exposed. Unrestricted public access to critical servers should never have been allowed -- but with the complexity and scale of the IT environment, some of the most obvious issues are missed by security professionals," said Manoj Asnani, vice president of product and design at Balbix, who noted that AI and automation could fill security holes.

“Sadly, as organizations and lines of business migrate to public cloud services, IT has lost control to some degree,” said Varun Badhwar, CEO and co-founder of RedLock, who noted that enterprises often don't have visibility in their cloud environments and don't have the tools to monitor, detect and report on security and compliance. “Many don't have a firm grasp as to which workloads are even in the cloud. You cannot secure what you cannot see.”

While “AWS may have bolstered its native security features," it "doesn't mean the frequency of data leaks will subside," said Mike Schuricht, vice president of product management at Bitglass. "The real solution to limiting the impact of these leaks lies in securing the data itself."