Threat Watch

Cloud-Based App Exposes Inmate’s Data

On January 3rd, researchers from VPNMentor uncovered an unsecured Amazon Web Services Simple Storage Service (S3) bucket, owned by JailCore, a cloud-based app used by multiple US correctional facilities. Anyone could access the files stored on the S3 bucket using just a web browser—no password was required. Contained on the unsecured bucket were over 36,000 PDF files exposing inmate prescription records, mugshots, and other personally identifiable information. When the researchers attempted to reach out to JailCore on January 5th, JailCore refused to accept the breach notification or to confirm the researchers’ findings. However, access to the bucket was quickly closed after the researchers provided the notification to the Pentagon on January 15th.

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

Using advice from Amazon’s knowledge center, there are several strategies that can be used to better secure S3 buckets.

• Write AWS Identity and Access Management user policies that clearly define which users can access specific buckets and objects
• Block public access using Amazon’s built-in Amazon S3 Block Public Access
• Set access control lists on buckets and objects

More information for securing S3 buckets can be found at: https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/

For more information, please see: https://www.vpnmentor.com/blog/report-jailcore-leak/

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support