Unsecured AWS bucket exposes personal data of 750,000 U.S. residents

Organizations handling highly sensitive data belonging to U.S. residents are not doing enough to protect their customers” personal information, as a recent discovery illustrates.

A group of pen testers have found more than a quarter of a million applications for copies of birth certificates on an Amazon Web Services (AWS) storage bucket left wide open to anyone who guesses the URL. TechCrunch verified the data by matching it against public records. The bucket was not protected with a password, which led to the discovery by the UK-based penetration testing firm.

More than 720,000 applications for copies of birth certificates were exposed, alongside 90,400 death certificate applications. The records of the deceased could not be accessed or downloaded. However, the same could not be said of the birth certificate applications, which, TechCrunch says, exposed “the applicant”s name, date-of-birth, current home address, email address, phone number and historical personal information, including past addresses, names of family members and the reason for the application — such as applying for a passport or researching family history.”

At press time, the unnamed company that leaked the data had not responded to inquiries. The local data protection authority has also been informed, but is apparently taking its time responding to the incident.

Security lapses involving exposed AWS buckets are a leading cause of identity theft and fraud in the United States. Crafty cyber crooks buy this granular personal data on the dark web and use it to weave together fraud and phishing campaigns, SMS scams, and even extortion schemes.