A third-party government supplier exposed 752,000 applications for copies of birth certificates on an unprotected Amazon Web Services (AWS) storage bucket.
According to authorities, the storage bucket includes all personal information of birth certificate applicants, exposing full names, date of birth, current home address, email addresses, phone numbers, and names of family members. In addition to the birth certificate information, the storage bucket also contains death certificate applications but cannot be accessed.
Tech Crunch states, “The bucket wasn’t protected with a password, allowing anyone who knew the easy-to-guess web address access to the data. UK-based penetration testing company Fidus Information Security found the exposed data.”
Tech Crunch verified the data and said the bucket is still accessible and updates daily. In one week, the bucket apparently added 9,000 applications to the database. Amazon already notified the owner but there is no response from the third-party government supplier. There is still no action taken, hence, the company cannot be named.
Security strategist Tim Mackey said the company repeated contacts went unanswered. “This is a clue that the company delivering this service likely is being operated using a high degree of automation and with a limited understanding of how valuable the data they interact with might be,” said Mackey.
Fidus Information Security also found out that the contractor misconfigured a cloud storage bucket on AWS, in which there are more than 270,000 data were stored. The same company also discovered the same unprotected data bucket in AWS, exposing Spring, T-Mobile, AT&T, and Verizon’s customers’ information.
Update Legislation on Data Exposure
With a number of data breaches and exposure happening these days, some security analysts believe the legislation for data exposure should be reviewed.
This particular incident revealed that Amazon cannot do anything to protect the data of its clients without their permission and local authorities aren’t prepared. Tech Crunch said they have informed the local authorities to warn about the security lapse but there was no immediate comment received.
In addition, the third-party government supplier didn’t respond to Fidus’ and Tech Crunch’s several emails. The companies only received automated emails from the unnamed company. Amazon didn’t intervene but promised to inform the customer. AWS received a lot of backlash after a series of data breach incidents, particularly the Capital One data breach.
According to reports, about 4.1 billion people had their personal information exposed in the first half of 2019.