An online company has exposed more than 752,000 applications for birth certificates due to a misconfigured cloud server.
UK security firm, Fidus Information Security, discovered the applications on an unsecured Amazon Web Services (AWS) storage bucket with no password protection.
The bucket also contained 90,400 death certificate applications, however these could not be accessed or downloaded.
The data exposed included highly sensitive information including applicant names; dates of birth; home and email addresses; phone numbers; previous addresses and names of family members. Applications were dated back to late-2017.
It was discovered that the bucket was being updated daily. In just one week, the company added 9,000 applications to the bucket.
The company in question hasn’t been named and has yet to respond to multiple emails sent from both TechCrunch and Fidus regarding the exposed data. Amazon stated that it would not intervene but rather inform the customer.
The highly sensitive information within the bucket is extremely valuable to potential threat actors who could commit identity fraud and even create phishing emails to harvest data.
Synopsys senior principal consultant, Tim Mackey commented: “That repeated contacts went unanswered is a clue that the company delivering this service likely is being operated using a high degree of automation and with a limited understanding of how valuable the data they interact with might be.
“Properly securing any data store is 101 level work, but we consistently see companies omitting this critical task from their ‘go-live’ checklist.”
The post #Privacy: Over 750K US birth certificates applications exposed online appeared first on PrivSec Report.