The Los Angeles County 211 service left about 3.2 million call records on an exposed AWS server that included a wide variety of personally indefinable information on callers along with the sometimes very personal reason they called looking for help.
The data on the server, which was discovered by Upguard, included three million lines of call logs, 200,00 rows of detailed notes on the calls which contain information such as graphic descriptions of elder abuse, child abuse and suicidal distress. All of which was stored in an AWS S3 server misconfigured to be publicly accessible.
“These notes describe the reason for the calls, including personally identifying information for people reporting the problem, persons in need, and, where applicable, their reported abusers,” Upguard noted.
In additional cases, full names, phone numbers, addresses, and in 33,000 instances of full Social Security numbers were exposed. Making the information even more useful was the fact that it was so well organized with separate categories for all types of problems and situations being labeled and broken out.
“Considering the amount of focus that S3 bucket misconfigurations have gotten in recent months, this exposure of sensitive information is simply unjustifiable. At the end of the day, organizations are responsible for ensuring that they implement a continuous compliance and active cloud protection in order to protect personal information and prevent misconfigurations like this from slipping through the cracks,” said Zohar Alon, co-founder and CEO, Dome9, to SC Media.
UpGuard discovered the AWS S3 bucket on March 14 and once the researchers realized the sensitive nature of the information that was available it contacted LA County 211. However, it took until April 24 for the proper person to be found and for mitigation efforts to proceed.
The information that was compromised was not confined to people seeking help, but several hundred LA County 211 users were also involved. UpGuard noted that hashed passwords for 384 were exposed with 153 of these were actively using the system.
“Almost all of the email addresses were at the @211LA.org domain. The passwords, while hashed, were done so using the MD5 algorithm— an algorithm that is considered weak relative to modern computing power and security standards, and one where many hashes have already been broken, compromising the encryption entirely,” UpGuard wrote.
If this encryption was defeated it could open up additional LA County 211 accounts to a malicious actor, particularly since so many people tend to use the same login credentials across multiple accounts.