An unprotected AWS bucket used by a company that allows users to obtain copies of their own or family members’ birth and death certificates were discovered online by the penetration testing company Fidus Information Security. The bucket did not require a password and was available to anyone who could guess the web address. Included in the bucket were approximately 752,000 applications for copies of birth certificates as well as nearly 90,400 death certificate applications, but those were not able to be viewed. On these applications were names of applicants, date-of-birth, current home address, email address, phone number and historical personal information–including past addresses, names of family members and the reason for the application. Fidus has attempted to inform the company, but no response has been received. Amazon was contacted as well and stated they would not intervene but would let the unnamed company know of the security lapse.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased