Data Centre

Cloud

US credit repair biz damages own security: 111GB of personal info exposed in S3 blunder

Oh look, another AWS misconfiguration spillage

By Iain Thomson

25 SHARE

The National Credit Federation, a US credit repair biz, left 111GB of thousands of folks' highly sensitive personal details exposed to the public internet, according to security researchers.

In yet another AWS S3 configuration cockup, Americans' names, addresses, dates of birth, photos of driver licenses and social security cards, credit reports from Equifax, Experian, and TransUnion, detailed financial histories, and credit card and bank account numbers, were all left sitting out in the open for miscreants to find, it is claimed.

According to infosec biz Upguard this week, records on as many as forty thousand individuals seeking help with their credit scores were available for perusal on Amazon's cloud. The data store would have been a treasure trove for identity thieves and fraudsters, although there is no evidence information was lifted by miscreants.

Massive US military social media spying archive left wide open in AWS S3 buckets

READ MORE

"How many more buckets of this type, containing the most compromising personal and financial details imaginable, are out there, totally unsecured and awaiting discovery by the first bad guy to find them?" wondered Upguard's Dan O'Sullivan.

"The total lack of protection of these people’s data, the remarkably simple means held by any internet user to find and download the information, and the sensitivity of the information contained therein, speaks to the real challenges of fostering cyber resilience today.

"In order to ensure that the pandemic of cloud leaks and data exposures of this kind is arrested, enterprises must become serious about investing time and resources into full visibility and control of their systems."

A spokesperson for NCF was not available for comment. The storage silo was secured and hidden from public after Upguard raised the alarm in October, apparently. Amazon took some steps in November to automatically warn AWS customers when they accidentally configure S3 buckets to be public. ®

Sign up to our NewsletterGet IT in your inbox daily

25 Comments

More from The Register

Amazon: For every dollar of op. profit going into Bezos' pockets, 73 cents came from AWS

It's pretty much a cloud provider with a gift shop on the side

Amazon, ditch us? But they can't do without us – Oracle

Battle of database rivals fuelled by reports marketplace monster is flying off Big Red

Whoa, AWS, don't slip off your cloudy perch. Google and Microsoft are coming up to help

While Alibaba dips a tentative toe in the challenger pool

Spooked Cisco chief phoned AWS, asked: You're not making a switch, are you?

Switchzilla's share price dipped following rumor of direct rivalry

Verizon commits to AWS after buying and selling its own cloud

Can anyone catch the big three (plus Oracle and IBM?)

New AWS auto-scaler started life as private show for Netflix

Amazon’s own auto-scaler now available for third-party apps

KVM? Us? Amazon erases new hypervisor from AWS EC2 FAQ

We've fro-Xen page to preserve evidence of NVMe servers and Xen's stay of execution

Accounting software biz Intuit flogging bit barn to throw its lot in with AWS

Most of their core apps were already in the cloud anyway