A team of security researchers from UpGuard have found an unsecured AWS S3 bucket exposed to the Internet which contains more than 3.2 Million records. It is said all 3.2 million files belonged to a Los Angeles County nonprofit that provides health and human services.
211 LA County, a nonprofit organization serving LA County, was reportedly left publicly exposed online. The content revealed in the downloadable files was widespread. In addition to access credentials for the 211 system operators and email addresses for contacts, “included in the more than 3 million rows of call logs are 200,000 rows of detailed notes,” UpGuard wrote in a 17 May post.
The call notes included personally identifiable information for people reporting the problem. Among those were “persons in need, and, where applicable, their reported abusers, including graphic descriptions of elder abuse, child abuse, and suicidal distress, raising serious, large-scale privacy concerns,” according to UpGuard.
“When you see an organization expose such sensitive data, it should serve as a reminder that companies must maintain an understanding of whether the service they use is risk-appropriate for the type of data they store there,” Bisbee said.
UpGuard has confirmed the bucket is no longer publicly accessible after they have notified the 211 LA County.
“Amazon S3 access rules can be set for both the bucket as a whole and for the files within it. In the case of the “lacounty” bucket, permission settings allowed anyone to list the contents; some of the files inside, however, had additional rules preventing public users from downloading them,” the UpGuard post said.
Threat Stack research indicates that nearly more than Three-Quarters of companies have critical cloud security misconfigurations and every reported data leak is a lesson for the companies to assign greater emphasis to their security team.