A large cache of information left unprotected and affecting many US Municipalities has been discovered by the ethical hacking team at WizCase. The common denominator was software provided by PeopleGIS called mapsonline.net that many cities in the US use. WizCase’s team found over 80 misconfigured Amazon S3 buckets; however, others were configured in a way that made it difficult to determine which party was responsible for leaving the buckets vulnerable. In total, more than 1000 GB in data and roughly 1.6 million files were potentially exposed. This left documents such as business licenses, residential records such as deeds, tax information, and resumes for applicants to government jobs as well as information like email address, physical address, phone number, driver’s license number, real estate tax information, photographs of individuals (on driver’s licenses), photographs of properties, building and city plans were all vulnerable. PeopleGIS have patched the buckets after WizCase reached out, but it is unclear if they were accessed before being secured.
If the information was accessed by threat actors, it could make it quite easy for them to craft phishing campaigns and even pose as government employees due to the type of information. When defending against phishing, it is crucial to spot the signs and know what to do. If someone believes they’ve received a phishing email, they should report it to someone in their security team and make sure they do not open an attachment or visit any links. It is also important to make sure buckets are being properly secured. This can be done by regularly checking to ensure the permissions for access are strict, and a password is required for the files to be viewed.