Over 800,000 Records Discovered Unprotected

share
Header image

Over 800,000 Records Discovered Unprotected

share

Issue was caused by incorrect S3 bucket policy rules.

A dataset containing 820,750 records totalling 122GB has been discovered online, most likely belonging to German tracking software firm Lost & Found.

Security researcher and co-founder of Security Discovery, Jeremiah Fowler, said in a blog post that the dataset was unprotected and publicly exposed, and included 14 databases - 10 that were accessible and 4 that were restricted.

Within these, he found shipping labels, lost item reports, and screenshots, ranging from personal electronics, wallets, bags, medical devices, and other personal effects travelers often take on flights.

“The most concerning files I saw in the database were a large number of high resolution images of identification documents such as passports, drivers licenses, employment documents, and more,” he said. “It is not known if these images of identification documents were created to file claims and identify ownership of lost documents, or if these documents themselves were lost and copies were uploaded by airport staff or officials.”

Fowler said in an update that Lost and Found’s security team informed him that the issue was caused by incorrect S3 bucket policy rules, which was overridden by ACL settings.

“It appears that their entire internal database was not exposed and only these individual S3 Buckets were misconfigured. It should be noted that AWS S3 is a key-value store and S3 is effectively considered to be a NoSQL database and this is why I reference “database” in this report.”


Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Data Breach Published: 7 March Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Upcoming Events

No events found.

Related content

Hijacked NHS Scotland domains push adult content

Hijacked NHS Scotland domains push adult content

 UK watchdog raises concerns over Jaguar Land Rover's cyber bailout

UK watchdog raises concerns over Jaguar Land Rover's cyber bailout

 Stryker dismisses malware use, data theft following cyberattack

Stryker dismisses malware use, data theft following cyberattack
Toll of Transport for London hack reaches nearly 10M

Toll of Transport for London hack reaches nearly 10M

 Suspected state-backed phishing campaign targets officials, journalists

Suspected state-backed phishing campaign targets officials, journalists

 PSNI staff to be awarded data breach compensation

PSNI staff to be awarded data breach compensation
KPMG refutes Nova ransomware attack claims

KPMG refutes Nova ransomware attack claims