Oh buoy. Rich yacht bods' job agency leaves 17,000 sailors' details exposed in AWS bucket

It's 2020 and people are still letting S3 storage leak

A private yacht crew recruitment agency has left an AWS bucket containing the CVs, passports and even some drug test results for up to 17,000 people exposed to world+dog, according to reports.

Crew & Concierge – a jobs firm in Bath, England, that targets "high net worth individuals", yacht captains, and management companies searching for seafarers to crew private yachts – left an Amazon Web Services S3 bucket open to anyone and everyone for around 11 months starting in February 2019.

British news site Verdict reported that 17,379 seafarers' CVs were exposed, along with thousands of ENG1 medical certificates and passport scans.

A total of 90,000 files were exposed, it was said, including sample menus from chefs hoping to fill a billet aboard some oligarch's floating gin palace.

In a statement to Verdict, Crew & Concierge director Sara Duncan blamed "the team of developers we had hired" for the bucket being left open, saying she had trusted the devs to "do a competent job" of securing "personal and sensitive personal information relating to our registered crew".

The breach has been reported to the Information Commissioner's Office, as required by the Data Protection Act 2018.

Duncan continued, saying: "It appears likely that the individual or individuals responsible have developed advanced tools designed specifically to identify AWS customers and whether or not they have [a] misconfigured instance that may leave it open to malicious attack."

Such so-called "advanced tools" include the search engine Gray Hat Warfare, which does for AWS buckets what Shodan does for IoT devices carelessly and inappropriately left accessible by the public.

A few weeks ago Britain's Royal Yachting Association (RYA) 'fessed up to a breach of its member database circa 2015. The two incidents are not thought to be linked, in particular because the RYA identified malicious access to the database in question whereas Crew & Concierge left the door to its digital stables wide open.

The Register has asked Crew & Concierge for comment. ®

Sponsored: Detecting cyber attacks as a small to medium business

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020