An unprotected AWS bucket used by a company that allows users to obtain copies of their own or family members’ birth and death certificates were discovered online by the penetration testing company Fidus Information Security. The bucket did not require a password and was available to anyone who could guess the web address. Included in the bucket were approximately 752,000 applications for copies of birth certificates as well as nearly 90,400 death certificate applications, but those were not able to be viewed. On these applications were names of applicants, date-of-birth, current home address, email address, phone number and historical personal information–including past addresses, names of family members and the reason for the application. Fidus has attempted to inform the company, but no response has been received. Amazon was contacted as well and stated they would not intervene but would let the unnamed company know of the security lapse.
When storing data online, it is always important to have it protected properly. Cloud storage providers make it very convenient and easy to make data available but also require special care to secure. It is important to have a well-published point of contact for security researchers to provide confidential reports of security problems. Customers who may have their information exposed should be on the lookup for suspicious activity involving their personal data.