[Update: Spartan Technology, the company responsible for the arrest records described in this story, sent Gizmodo an additional update after it confirming the incident. The company now says the records were only used for testing and that the Social Security numbers were mismatched intentionally with the names that accompany them as a precaution. New comments from CEO Eddie Pruitt and UpGuard have been added at the bottom of this story.]
Sensitive data related to thousands of arrests in the state of South Carolina were discovered exposed online last month by a California-based security company, Gizmodo has learned. A small percentage of those arrested were considered juveniles at the time of the arrest, said researchers who examined the data.
A researcher at the security firm UpGuard discovered the files in an open cloud store bucket last month among multiple 14 GB databases. The tranche of data included the names of individuals charged with crimes, the alleged victims, and in some cases, the names of witnesses.
The company said a “significant number” of database entries included full names, dates of birth, phone numbers, and drivers’ license numbers. Much of that information can be located by combing through public records, though likely not in the same aggregated form as the files located by UpGuard.
What’s more, around 17,000 Social Security numbers were also exposed.
Most states consider juvenile law enforcement and court records to be confidential. South Carolina is among them. (A 2014 study by the Juvenile Law Center ranked the state relatively high in protecting the confidentiality of law enforcement records related to minors.)
Spartan Technology, the case management company that had been storing the data—apparently on behalf of local court officers—was reached by UpGuard in mid-November and scrambled to secure the files.
“Spartan was notified about a potential misconfiguration on one of its buckets. Upon the notice, Spartan found the misconfiguration and secured the bucket within a matter of minutes,” said Eddie Pruitt, the CEO of Spartan Technology.
Pruitt also said the records showed “only defendants that were at or near the juvenile age,” but who were ultimately tried as adults. “There were only about 200 of those type of records. And again, those records are all publicly available at the courts and sheriff offices,” he said.
Around 60 GB in full, the data appeared to relate some 26,000 individuals, UpGuard said. “Analysts confirmed the existence of entries marked as being members of the military and juveniles,” the company said.
Chris Vickery, director of cyber risk research at UpGuard, told Gizmodo by phone that Spartan Technology had reacted quickly to the news and immediately revoked the public access. That was something he felt was worth commending.
At a time when data breaches and other types of data exposure are commonplace, Vickery said he hoped any blowback faced by the company would be measured and take into account its response. In his years as a data breach hunter, he’s discovered many instances of sensitive information being improperly exposed. And not everyone responds well to the same news.
Many companies have ignored Vickery’s emails warning them about potential breaches and some have reacted with hostility. Good Samaritans in the security industry have even faced legal threats merely for attempting to get sensitive data secured.
Conversely, UpGuard said that Spartan was eager to cooperate and address the issue, something that more people should consider, Vickery said, when gauging the impact of these incidents. “This kind of active and open engagement with a security researcher should be lauded, as it speeds up response time and ultimately reduces the risk to the individuals affected,” the company said.
Pruitt said his company concluded that a previous employee had failed to follow standard procedures and secure the bucket containing the files.
“In response to this notification, Spartan has reviewed its processes and has reinforced company policy with current employees,” he said, adding that additional layers of monitoring and security had been implemented.
Update, 3:11 p.m.: Eddie Pruitt, CEO of Spartan Technology, said that UpGuard had viewed a table which included multiple entries for identical cases. The 5.2 million entries, in other words, included duplicate information. Pruitt confirmed the data relates only to 26,000 defendants, which Gizmodo earlier reported.
We’ve also added additional comments from Pruitt.
Update, 7:30 p.m.: In a statement to Gizmodo, Pruitt now says that additional research by his company has concluded the data was a “copy from a customer that had been scrubbed and shuffled.” In other words, while real, the Social Security numbers and drivers’ license record no longer accurately match the names that accompany them.
Pruitt said this was realized after studying the numbers, which he was prompted to do because there were only 26,000 records, when the database should have included over 220,000 defendants.
Gizmodo cannot independently verify. An UpGuard employee said the security firm had purged its copy of the Spartan data at Pruitt’s request and can no longer cross check the Social Security numbers with the names in the records.
Correction: A previous version of this article referred to the company as “Spartan Technologies.” Its name is Spartan Technology. We regret the error.