A UK pen testing company – Fidus Information Security found an unprotected AWS server that exposed the information of 750-thousand birth certificate applications. A Techcrunch report indicates that was a third-party supplier of data to the U.S. government left the server unprotected.
This breach follows the recent trend of data being exposed in misconfigured, unprotected, unmonitored, and globally accessible cloud storage buckets. In recent years, some of our largest breaches have involved the use of these buckets to grab the sensitive data of hundreds and thousands of companies or individuals at once. And unfortunately, this is just another example of the classic story of poor IT hygiene and a lack of proper security controls.
But this breach of U.S. states and their birth and death certificate systems – for nearly one million individuals – is extremely damaging on many fronts, even when compared to previous breaches involving misconfigured cloud storage buckets. First and foremost, there is a damage in trust as it relates to the states’ and governments’ ability to protect your information.
It also exposed very sensitive personally identifiable information like names, parents’ names, birth state and city, date of birth, home addresses, email addresses, phone numbers, and potentially credit card information. Some of this information can be easily changed, but some of it can never be changed. And combined, it totals about one third of what’s needed to have unfettered access to people’s identities; the only other details needed are a driver’s license or passport and social security number, and many people have already had this information compromised in other breaches – including the Equifax and Marriot breaches.
As much as we talk about vulnerabilities and exploits associated with poor patching, a misconfigured technology that houses this type of information is equally as negligent. The lack of proper security controls, monitoring and response technologies, and data classification makes this even more egregious; these records should have been marked as higher classification and protected accordingly.
This is yet another example of data exposure through a poorly configured server and its potentially disastrous consequences. In this case, the provider was reported to be a third-party data supplier of the US government, and the leak included sensitive birth certificate information that can be used for malicious purposes such as identity theft. Incidents such as these underscore the very real need for organizations to thoroughly assess and continuously monitor the security of their third parties and to be vigilant about how data is stored.