An online firm that helps customers obtain copies of their birth certificates from state and local authorities left some 750,000 applications on an unsecured Amazon Web Services (AWS) cloud storage system, TechCrunch reported on Monday.
TechCrunch didn’t disclose the name of the company, but it reported UK-based cybersecurity firm Fidus Information Security first heard of the breach and that the site subsequently verified the contents of the unprotected directory by checking it against public records. In addition to the hundreds of thousands of applications for copies of birth certificates dating to late 2017, which were stored without password protection at an “easy-to-guess web address,” TechCrunch wrote the bucket also contained well over 90,000 applications for copies of death certificates. Those, fortunately, were protected.
Data contained in the exposed files included names, dates of birth, home addresses, email addresses, phone numbers, and other information such as “past addresses, names of family members, and the reason for the application.” According to TechCrunch, its reporters as well as Fidus sent “several emails” warning the company of the exposed directory, receiving “only automated emails” and resulting in no action. Amazon told TechCrunch it would not take direct action to secure the files but would warn the company, while the site reported the “local data protection authority” didn’t have an immediate comment.
Obviously, this is just one more drop in the deluge of data breaches that have happened in recent years—one report from researchers at Comparitech released earlier this year estimated that since 2008, there had been almost 9,700 reported breaches involving over 10.7 billion records, with financial damages roughly estimated at over $1.6 trillion. At the same time, identify theft scams have become both more rampant and more sophisticated. Amazon itself was recently hit with an “extensive” phishing scheme directed at sellers on its marketplace platform, allowing the attackers to siphon cash from both sales proceeds and Amazon-backed business loans.
Much of the time, these incidents are due to sloppy security; after a hacker absconded with extensive data on more than 106 million Capital One customers, reports indicated that the company had neglected to routinely enact basic cybersecurity measures. After a separate breach this year hit Bulgarian government systems storing data on millions of taxpayers, the hackers behind it reportedly released a statement saying “Your government is stupid. Your cybersecurity is a parody.”
Correction: A previous version of this post misstated the number of records exposed in the breach: It is 752,000, not 720,000. We regret the error.