A leaky Amazon Web Services storage bucket has exposed more than 752,000 applications requesting copies of birth certificates.
A report yesterday by TechCrunch said the unsecured data set dates back to late 2017, but was just recently discovered by U.K.-based penetration testing company Fidus Information Security. The data is managed by a company that helps individuals obtain birth and death certificate copies from U.S. state government authorities. The company has not yet been identified.
Applications included such information as names, birth dates, current and past home addresses, email addresses, phone numbers, family member names and reasons for requesting the application. Over 90,000 death certificates were reportedly stored on the bucket as well, but those weren't accessible.
James Carder, CSO and vicepresident of LogRhythm Labs, said in emailed comments that this particular data leak is "extremely damaging on many fronts, even when compared to previous breaches involving misconfigured cloud storage buckets."
"First and foremost, there is a damage in trust as it relates to the states' and governments' ability to protect your information," Carder continued. Additionally, "it also exposed very sensitive personally identifiable information... Some of this information can be easily changed, but some of it can never be changed. And combined, it totals about one third of what's needed to have unfettered access to people's identities. The only other details needed are a driver's license or passport and Social Security number, and many people have already had this information compromised in other breaches – including the Equifax and Marriot breaches."
TechCrunch reports that both its own stuff and Fidus attempted to reach the company that manages the data set, but they received only automated responses and no corrective action was taken.
"Examples such as this show just how important it is for consumers to know precisely which companies are part of the software supply chain delivering any given service to them. That repeated contacts went unanswered is a clue that the company delivering this service likely is being operated using a high degree of automation and with a limited understanding of how valuable the data they interact with might be," said Tim Mackey, principal security strategy at Synopsys' Cybersecurity Research Center (CyRC). "Properly securing any data store is 101-level work, but we consistently see companies omitting this critical task from their 'go-live' checklist."
"Service providers and processors need to wake up to the reality that data needs to be protected in a data-centric fashion to eliminate the risks of having a lapse or lack of due diligence," added Warren Poschman, senior solutions architect at comforte AG. "Adopting a data-centric protection model ensures that data is protected anywhere it is stored, moved, shared or used and is the only true firebreak that can quench identity theft."