Over 750,000 applications for birth certificate copies leaked off Amazon's cloud
They weren't protected with a password. Seriously.
Over 752,000 applications for copies of birth certificates have been exposed because an online company that helps people get their birth certificate from government agencies didn’t password-protect an Amazon Web Services (AWS) storage bucket. That means a lot of personal information was revealed.
“The bucket wasn’t protected with a password, allowing anyone who knew the easy-to-guess web address access to the data,” TechCrunch reports. “U.K.-based penetration testing company Fidus Information Security found the exposed data. TechCrunch verified the data by matching names and addresses against public records. Fidus and TechCrunch sent several emails prior to publication to warn of the exposed data, but we received only automated emails and no action was taken.”
An Amazon storage bucket is essentially a public cloud you get through Amazon. A lot of companies use them, but they don’t typically store people’s personal information on them without a password, because you’d have to be pretty stupid to do that. TechCrunch is not revealing the name of the company that exposed this data, so we’re not sure who did the stupid thing in this scenario.
The personal information that was exposed includes a person’s name, address, date of birth, phone number and more. The company would take this information and obtain a copy of someone’s birth certificate through their state’s department of health. The records that were exposed were all from the past two years.
Data breaches have become a serious problem, and it seems as if everyone is being affected by them. We all remember the EquiFax data breach that exposed the personal information of nearly half of the country in 2017. Back in July of this year, it was revealed that a hacker had gotten into a Capital One server and exposed over 100 million people’s personal information.
The Capitol One hack had to do with Amazon, too. A lawsuit that was filed against Amazon and Capital One after the hack claimed Amazon knew about the security vulnerabilities the hacker took advantage of to get the records before the hack occurred and failed to fix them, and the person who allegedly did the hack was a former Amazon Web Services employee. AWS operates Capital One’s cloud services.
Amazon’s marketplace was hacked back in May, and the hackers were able to steal money from merchants who use Amazon to sell their products. Even the most successful tech companies have problems with beating the hackers (and they typically bother to do things like use passwords).
See also: Hacked Self-Driving Cars Would Cause Chaos, Study Suggests
What many don’t realize is there are tons of smaller breaches that don’t grab as many headlines that might impact their life. According to a report from earlier this year, 4.1 billion people had their personal information exposed in the first half of 2019. That’s worldwide, of course, and that means over half the planet had its personal information exposed in just the first part of this year.
It’s hard to say how much of this information is actually utilized by criminals, but with a simple algorithm people could be cataloguing this data, searching it and using it to make a profit. We don’t know who was exposed by this latest breach, but it’s definitely not the last time this is going to happen.