US credit repair biz damages own security: 111GB of personal info exposed in S3 blunder
Oh look, another AWS misconfiguration spillage
The National Credit Federation, a US credit repair biz, left 111GB of thousands of folks' highly sensitive personal details exposed to the public internet, according to security researchers.
In yet another AWS S3 configuration cockup, Americans' names, addresses, dates of birth, photos of driver licenses and social security cards, credit reports from Equifax, Experian, and TransUnion, detailed financial histories, and credit card and bank account numbers, were all left sitting out in the open for miscreants to find, it is claimed.
According to infosec biz Upguard this week, records on as many as forty thousand individuals seeking help with their credit scores were available for perusal on Amazon's cloud. The data store would have been a treasure trove for identity thieves and fraudsters, although there is no evidence information was lifted by miscreants.
Massive US military social media spying archive left wide open in AWS S3 bucketsREAD MORE
"How many more buckets of this type, containing the most compromising personal and financial details imaginable, are out there, totally unsecured and awaiting discovery by the first bad guy to find them?" wondered Upguard's Dan O'Sullivan.
"The total lack of protection of these people’s data, the remarkably simple means held by any internet user to find and download the information, and the sensitivity of the information contained therein, speaks to the real challenges of fostering cyber resilience today.
"In order to ensure that the pandemic of cloud leaks and data exposures of this kind is arrested, enterprises must become serious about investing time and resources into full visibility and control of their systems."
A spokesperson for NCF was not available for comment. The storage silo was secured and hidden from public after Upguard raised the alarm in October, apparently. Amazon took some steps in November to automatically warn AWS customers when they accidentally configure S3 buckets to be public. ®
Sponsored: Becoming a Pragmatic Security Leader