It has been reported that a security researcher has discovered an unsecured Amazon Simple Storage Solution (S3) database containing more than 31,000 images of users’ passports, driver’s licenses, evidence of age documents, and more. These files are publicly accessible to anyone who has the URL and appears to be owned by the Wellington, New Zealand company LPM Property Management. This particular bucket seems to host images from LPM’s service. Out of the 31,610 files contained in the database, only 15 files are not images.
The files include:
- Passports, both expired and active, both from New Zealand and abroad
- Drivers licenses with ID numbers, donor statuses, addresses, DOBs, and full names
- Evidence of age documents
- Applicant pictures
- Images of damaged property (labeled “maintenance requests”)
Sometimes it\’s hard to avoid using tax software in countries where there are no secure alternatives, the law is unfamiliar, and there are language barriers. I recommend any company that insists on using Chinese tax software do so on an isolated device with no access to the company\’s network or other resources. A virtual machine might be suitable so long as it\’s set up in a secure way. This way, if the device gets infected, it can\’t spread to other devices on the company network and won\’t find anything to steal on the local device.
Another day, another unsecured Amazon S3 database. Incidents such as this will continue to occur until developers and database administrators learn the importance of securing their files, keeping them away from prying eyes. As bad actors are constantly on the lookout for unsecured databases that use Amazon\’s services, it is quite likely that this exposed data has been gleaned by the bad guys. It is especially horrible that the database included proof of identity document information such as passport and driver\’s license information, which can be used to steal a victim\’s identity.
Networks need to be segmented to control who has access to them. This reduces the likelihood of unauthorized access. This protects companies and more importantly, their customers, from having their data accessed by bad actors.
Unsecured databases like AWS S3 ones are an ever-increasing challenge for many organisations. While these databases make it extremely easy and convenient for organisations to collect and store data, one small change and a private database could end up publicly exposed. If this is not something the organisation is looking for, then they are almost certainly not monitoring logs to detect any unauthorised access or data exfiltration.
It\’s therefore important that all organisations implement and maintain a strong security culture throughout every function, so that security is a consideration at the design stage, is implemented in production, and assurance controls are put in place to validate they are working as expected.
Otherwise, despite all the features being available, if no-one will enable them, data will continue to be exposed.
Cloud storage solutions are convenient and cost-effective, but we must not forget that proper configuration of any cloud service means configuring components, like S3 buckets, securely. Securely in this context implies that a review of the security requirements for the data stored, but also ensures that regulations like the Privacy Act 2020 are respected. If an organisation is struggling to understand the full requirements from either a security or a privacy perspective, then they should engage with professionals or consultancies skilled in conducting threat models, software architecture reviews and performing penetration testing. Independent of any regulatory sanctions, these security reviews help avoid the reputational damage that is an inevitable result from a data breach while containing the costs of both forensic reviews and the incident response itself.