A London-based consulting has exposed the personal details of thousands of UK business professionals due to an exposed Amazon Web Services bucket.
Researchers at vpnMentors, Noam Rotem and Ran Locar, discovered the breach on December 9, 2019, to which contained “highly sensitive files” from numerous British consulting firms.
The research team found that the files were being stored on an Amazon Web Services (AWS) S3 bucket database, which requires users to implement their own security protocols. Unfortunately, the owners had left the database open and publicly viewable to anyone without needing any authentication.
“While the owner of the database was not initially clear, it was labeled “CHS”. We traced this back to CHS Consulting, a London-based consulting firm. However, as the company has no website, we cannot confirm their ownership of the database,” explained vpnMentor.
The exposed database contained files belonging to many UK-based consultancy firms including; Dynamic Partners, Eximius Consultants Limited and Garraway Consultants.
Much of the exposed data were from 2014-2015, however some files can be traced back to as far as 2011.
The exposed information within the files include; thousands of passport scans, tax documents, job applications, proofs of address, criminal records, expenses and benefits forms, extensive background checks, paperwork related business taxes and HMRC, scanned contracts with signatures, and much more.
In addition, the personal information exposed included full names, addresses, phone numbers, email addresses, genders, dates of birth, job titles, national insurance numbers and more.
The researchers contacted the CERT-UK on December 10 and on December 19, the database was secured.
This breach could have easily been prevented if “CHS” had implemented some basic security measures to protect the database, such as securing their servers, and enforcing proper access rules.
“Had criminal hackers discovered the database, it would have been a goldmine for illicit activities and fraud, with potentially devastating results for those exposed,” stressed vpnMentor.
“If you’re a UK-based consultant or consulting firm and are concerned about this breach, contact the CERT-UK to understand what steps are being taken to keep your data safe and ensure it has not been leaked.”
The post #Privacy: Thousands of UK business professionals have had their data leaked appeared first on PrivSec Report.