Organizations handling highly sensitive data belonging to
U.S. residents are not doing enough to protect their customers’ personal
information, as a recent discovery illustrates.
A group of pen testers have found more than a quarter of a million applications for copies of birth certificates on an Amazon Web Services (AWS) storage bucket left wide open to anyone who guesses the URL. TechCrunch verified the data by matching it against public records. The bucket was not protected with a password, which led to the discovery by the UK-based penetration testing firm.
More than 720,000 applications for copies of birth
certificates were exposed, alongside 90,400 death certificate applications. The
records of the deceased could not be accessed or downloaded. However, the same
could not be said of the birth certificate applications, which, TechCrunch says,
exposed “the applicant’s name, date-of-birth, current home address, email
address, phone number and historical personal information, including past
addresses, names of family members and the reason for the application — such as
applying for a passport or researching family history.”
At press time, the unnamed company that leaked the data had not
responded to inquiries. The local data protection authority has also been
informed, but is apparently taking its time responding to the incident.
Security lapses involving exposed AWS buckets are a leading
cause of identity theft and fraud in the United States. Crafty cyber crooks buy
this granular personal data on the dark web and use it to weave together fraud
and phishing campaigns, SMS scams, and even extortion schemes.