Identity Theft at Birth: 752,000 Applications for Copies of Birth Certificates Were Exposed Online
Whether we like it or not, online companies of all shapes and sizes handle enormous amounts of personal data. Somewhat predictably, they don't always do it very well. Earlier this month, for example, penetration testing specialists from Fidus Information Security discovered an Amazon Web Services (AWS) storage bucket containing a stash of documents that weren't supposed to be public. The bucket in question was accessible from anywhere in the world and was not protected by a password. The experts shared their findings with TechCrunch's Zack Whittaker, who confirmed the validity of the information and discovered that some of the documents dated back to 2017. More worryingly, he found out that someone was putting new data in the bucket on a daily basis. Here's what they were exposing exactly.
Applications for copies of birth and death certificates were left in an unsecured AWS bucket
US citizens who need a copy of their birth certificates can request them in person at a government institution in their state, or they can use the services of an online company that processes people's applications and acts as an intermediary. One such company was tasked with handling at least 752 thousand applications. It put them all in the aforementioned unsecured AWS bucket. The bucket also held a little over 90 thousand applications for death certificates, though downloading those was impossible, according to Whittaker's report.
Although the actual birth certificates weren't exposed, the applications for them were still full of personal information. The details varied from state to state, but as you'd expect, the exposure was not insignificant. Some of the data Whittaker reviewed included:
- Dates of birth
- Physical addresses
- Email addresses
- Names of family members
- Past home addresses
In a word, the bucket is an identity thief's dream. Believe it or not, however, this is not the biggest problem.
Amazon refuses to take the bucket down, and the owner remains unresponsive
We can talk at some considerable length about how this is the next in a very long line of misconfigured AWS buckets that leak personal details of thousands of unsuspecting individuals, but those of you who have been following the news know all about the problem. In this particular case, the biggest issue lies with the reaction of the people responsible for securing the data. More precisely, the issue lies with the lack of such a reaction.
Whittaker and Fidus' researchers had no problems figuring out who was responsible for the leak. When they tried to contact the offending company, however, all they got was a collection of automated emails. They then got in touch with Amazon, but instead of acting quickly to stop the leak, one of the world's biggest cloud storage providers simply said that it too will inform the owner of the bucket. As a result, the data remained accessible to anyone who can get to the web address, which, according to Whittaker, isn't very difficult to guess.
Because the bucket remained open, Whittaker decided to protect the hundreds of thousands of people who were affected by the leak, and he didn't name the owner in his report. Although the offender remains unknown to the public, however, the entire story should be a lesson for everyone. It should be a lesson not only on how important the security of AWS storage buckets is but also on how not to react to reports of a significant data leak.