US credit repair biz damages own security: 111GB of personal info exposed in S3 blunder

Oh look, another AWS misconfiguration spillage

By Iain Thomson

Posted in Cloud, 2nd December 2017 10:34 GMT

The National Credit Federation, a US credit repair biz, left 111GB of thousands of folks' highly sensitive personal details exposed to the public internet, according to security researchers.

In yet another AWS S3 configuration cockup, Americans' names, addresses, dates of birth, photos of driver licenses and social security cards, credit reports from Equifax, Experian, and TransUnion, detailed financial histories, and credit card and bank account numbers, were all left sitting out in the open for miscreants to find, it is claimed.

According to infosec biz Upguard this week, records on as many as forty thousand individuals seeking help with their credit scores were available for perusal on Amazon's cloud. The data store would have been a treasure trove for identity thieves and fraudsters, although there is no evidence information was lifted by miscreants.

Massive US military social media spying archive left wide open in AWS S3 buckets

READ MORE

"How many more buckets of this type, containing the most compromising personal and financial details imaginable, are out there, totally unsecured and awaiting discovery by the first bad guy to find them?" wondered Upguard's Dan O'Sullivan.

"The total lack of protection of these people’s data, the remarkably simple means held by any internet user to find and download the information, and the sensitivity of the information contained therein, speaks to the real challenges of fostering cyber resilience today.

"In order to ensure that the pandemic of cloud leaks and data exposures of this kind is arrested, enterprises must become serious about investing time and resources into full visibility and control of their systems."

A spokesperson for NCF was not available for comment. The storage silo was secured and hidden from public after Upguard raised the alarm in October, apparently. Amazon took some steps in November to automatically warn AWS customers when they accidentally configure S3 buckets to be public. ®

Sign up to our NewsletterGet IT in your inbox daily

25 Comments

More from The Register

Verizon commits to AWS after buying and selling its own cloud

Can anyone catch the big three (plus Oracle and IBM?)

Oracle tells tales about Google data slurps to Australian regulator

At an inquiry into news and ads, of all things. Is Big Red playing a deeper game?

Google, AWS IPs blocked by Russia in Telegram crackdown

Two million addresses down, 4.2 billion to go - oh, plus the IPv6 address space

AWS Summit SF: Most definitely not a sales event, nuh uh, no way

Let CTO Werner Vogels guide you through the Amazon cloud maze, young Jedi

Google Cloud plays GTA in Snowball fight with AWS

That's the Google 'Transfer Appliance', to get data out of your bit barn and into its cloud

Amazon: For every dollar of op. profit going into Bezos' pockets, 73 cents came from AWS

It's pretty much a cloud provider with a gift shop on the side

Oracle effectively doubles licence fees to run its stuff in AWS

Larry Ellison did promise Oracle's cloud would be faster and cheaper

Oracle crashes AWS and Azure UK cloud data centre party

London base in global expansion

VMware-on-AWS coming to Frankfurt, Sydney, Japan, with vMotion between regions too

Virtzilla's Amazonian cloud is also tooling up for managed services providers

Specsavers embraces Azure and AWS, recoils at Oracle's 'wow' factor

Warms IBM Watson for patient data probe