More than 50,000 driving licences have been leaked online, sparking warnings from experts that hackers can use the information to apply for credit cards and loans. Ukrainian security consultant Bob Diachenko stumbled upon the folder of PDF and JPG files containing 108,535 scanned images of over 54,000 NSW licences. He also discovered another folder containing Roads and Maritime Services toll notice statutory declarations. The data was stored on an Amazon cloud storage service and contained phone numbers, addresses and birth dates – all of which were available for public view. ‘More than 50K scanned driver licenses (front+back) and toll notices exposed in a misconfigured S3 bucket,’ Mr Diachenko tweeted along with a screenshot of a list of files dated back to 2018. ‘Most likely – part of NSW RMS infrastructure (Road and Maritime, New South Wales, Australia). Secured now.’
More information: https://www.dailymail.co.uk/
In the past, when cloud storage services were not as common as they are today, an attacker would have to be really inventive to break into a secured network and steal data stored on a server. Unfortunately, this no longer applies today. Even if “cloud” technology enables real technical advancements and provides affordable data storage, it comes with the significant threat of misconfiguration and misuse.
We read and hear about instances of misconfigured cloud storage often; so often, that it seems to have become the norm. It would be good if cloud service providers would take this matter into their own hands and stop misconfigurations that allow public access to data. However, this would be hard to do as it would require service providers to be active in the setup, as well as act as a consultant, leading users through the settings and advising against bad decisions. This costs money and, as a result, would affect their ability to offer affordable cloud storage. Yet, unfortunately, secure cloud storage is unattainable without the guidance of someone who is familiar with the topic of security in the cloud. Therefore, cloud users need to be more alert on how they use the service, they need to recruit a consultant to set up the infrastructure so that it conforms to the use case, and they need to create plans for resilience, response and recovery in every part of this infrastructure. This is the only way they can make attempts at hacking so difficult that it dissuades the attacker from even trying.
With all data breaches, there is often good and bad news. The bad news is that there are tens of thousands of potential victims and they could be facing a cold shower of reality that their identities have been stolen and used for profit. But until that happens there is no reason for panic. The good news is that this breach pales in comparison to the size of Australia\’s population and on any given day consumers face the reality that their identities have most likely been stolen many times over and they don\’t know it. As our digital footprint expands exponentially the mobile devices glued to our hands are one of the weakest links in the global communications ecosystem.
As a society we have become desensitized to identity theft and cyber crime because we have already been victimized many times over. My advice for consumers is to regularly check their credit and use a credit checking service to monitor activity on your credit cards and bank accounts. As for New South Wales officials, this is no time to try and play the victim card as consumers deserve your transparency and honesty on what happened, how the exposed PDF was lost and what you are planning to do in the near term and long term to protect drivers.
This is a significant breach because, on top of having personally identifiable information leaked, cybercriminals can also identify a natural person through the exposed image files. Affected individuals will need to be vigilant, not only checking their bank accounts regularly, but all online accounts for unusual activity. A key step for all those affected to take is to enable account monitoring/alerting, along with setting thresholds associated with their monetary online accounts.
It is not the first time that a misconfiguration has led to damaging consequences such as an accidental data breach. It demonstrates once again, the importance of Enterprise Security programs that incorporates security into processes such as change management, technologies including secure configurations, as well as end-user awareness.