Comments On 750-Thousand Birth Certificate Applications Exposed On The Web

By   ISBuzz Team
Writer , Information Security Buzz | Dec 11, 2019 06:26 am PST

A UK pen testing company – Fidus Information Security found an unprotected AWS server that exposed the information of 750-thousand birth certificate applications. A Techcrunch report  indicates that was a third-party supplier of data to the U.S. government left the server unprotected.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
James Carder
James Carder , Chief Information Security Officer & Vice President
December 12, 2019 2:39 pm

This breach follows the recent trend of data being exposed in misconfigured, unprotected, unmonitored, and globally accessible cloud storage buckets. In recent years, some of our largest breaches have involved the use of these buckets to grab the sensitive data of hundreds and thousands of companies or individuals at once. And unfortunately, this is just another example of the classic story of poor IT hygiene and a lack of proper security controls.

But this breach of U.S. states and their birth and death certificate systems – for nearly one million individuals – is extremely damaging on many fronts, even when compared to previous breaches involving misconfigured cloud storage buckets. First and foremost, there is a damage in trust as it relates to the states’ and governments’ ability to protect your information.

It also exposed very sensitive personally identifiable information like names, parents’ names, birth state and city, date of birth, home addresses, email addresses, phone numbers, and potentially credit card information. Some of this information can be easily changed, but some of it can never be changed. And combined, it totals about one third of what’s needed to have unfettered access to people’s identities; the only other details needed are a driver’s license or passport and social security number, and many people have already had this information compromised in other breaches – including the Equifax and Marriot breaches.

As much as we talk about vulnerabilities and exploits associated with poor patching, a misconfigured technology that houses this type of information is equally as negligent. The lack of proper security controls, monitoring and response technologies, and data classification makes this even more egregious; these records should have been marked as higher classification and protected accordingly.

Last edited 4 years ago by James Carder
Elad Shapira
Elad Shapira , Head of Research
December 11, 2019 2:28 pm

This is yet another example of data exposure through a poorly configured server and its potentially disastrous consequences. In this case, the provider was reported to be a third-party data supplier of the US government, and the leak included sensitive birth certificate information that can be used for malicious purposes such as identity theft. Incidents such as these underscore the very real need for organizations to thoroughly assess and continuously monitor the security of their third parties and to be vigilant about how data is stored.

Last edited 4 years ago by Elad Shapira

Recent Posts

Would love your thoughts, please comment.x