It has been reported that a security researcher has discovered an unsecured Amazon Simple Storage Solution (S3) database containing more than 31,000 images of users’ passports, driver’s licenses, evidence of age documents, and more. These files are publicly accessible to anyone who has the URL and appears to be owned by the Wellington, New Zealand company LPM Property Management. This particular bucket seems to host images from LPM’s service. Out of the 31,610 files contained in the database, only 15 files are not images.
The files include:
- Passports, both expired and active, both from New Zealand and abroad
- Drivers licenses with ID numbers, donor statuses, addresses, DOBs, and full names
- Evidence of age documents
- Applicant pictures
- Images of damaged property (labeled “maintenance requests”)