Around 750,000 birth certificates applications of U.S citizens were leaked, according to a TechCrunch report. The applications were discovered to be publicly accessible on an AWS cloud platform, with no protection at all.
The applications included highly sensitive and personal data including
- date of birth,
- current home address,
- email and phone number.
On top of these, accessible information included the names of family members, historical information such as past addresses, or the reason for application as well. The leak affected residents of California, New York and Texas.
The unnamed third-party responsible for the leak, obtained copies of birth certificates and death certificates from state governments and provided this service on the internet to citizens. According to experts, the exposed database goes back as early as 2017.
The leak was reported by Fidus Information Security, a UK-based penetration testing company. Considering the volume and type of exposed personal information, one can think of it as an open invitation to hackers and scammers. The wealth of information could be harvested by hackers in their phishing campaigns and by scammers in identity fraud.
As shocking as it may seem, left-open AWS buckets is not an unusual scenario among data exposures, especially if these are managed by third-parties.
Misconfigured cloud assets are open invitations to hackers
Many companies use cloud servers to store their data. Despite their great advantage, misconfigured buckets may expose sensitive data. It is a kind of an open invitation to hackers to dump and use a company’s data for their malicious activities as we have seen in this incident. Besides, this is not the first incident a misconfigured cloud asset caused significant data exposure.
3rd- and 4th-party service providers, such as cloud storage providers, improve their cyber resilience as much as possible. They publish best practices on how to use their cloud services and provide options to keep the data public or private, a feature configured by companies that accommodate cloud servers. Any misconfiguration may expose data to the public and the first ones who notice these exposed data would be-hackers and hacktivists. It is no wonder that Security Misconfiguration is #6 in OWASP Top 10.
A shortlist of common misconfigurations
- Use of factory default system credentials (username/passwords)
- Directory and file listings that are not disabled and easily available through search engines
- Some user traces may have too much information, such as pages returned to users with error messages
- Leaving unnecessary pages, such as sample apps, old privileges, and user accounts
- Out of date software (older versions), use of legacy systems, and patches which are not up-to-date
Simple steps to prevent misconfigured data
- Discover all your 3rd and 4th party service providers and cloud storage servers that your company use.
- Check for misconfiguration of cloud storage servers
- Monitor cyber risk of your 3rd and 4th party providers.
- Regularly check Intrusion Detection System (IDS) logs and consider host-based IDS rather than network-based IDS to examine events on host-level
- Increase the cyber security awareness of your employees and regularly check for leaked credentials.
Create an agilent patch management procedure. For that reason, use tools such as Black Kite Cyber Risk Scorecards that gives your cyber security posture in Patch Management (among 19 other categories).
Third-Party Risk Management 101
Businesses, companies, and in this case, state governments need to look at their vendors, suppliers, and in general third-parties from a “data perspective”. They need to keep track of the data lifecycle, whether it be personal data of their clients or company-specific sensitive data. This needs to be done both within the perimeter and outside the perimeter. An inventory keeping track of the company’s infrastructure and data will be a starting point most of the time.
They also need to monitor their third-parties on a continuous scale. In today’s world, with thousands of company assets beyond the perimeter, it is nearly impossible to continuously monitor and audit third-parties manually, with a high level of confidence.
Black Kite automates the process of third-party monitoring on a cyber-security level. Black Kite’s Cyber Risk Scorecard identifies potential third-party or supply-chain risk by scanning the target company’s domain name using OSINT (open-source intelligence) techniques. Providing the potential risks posed by third-party vendors, Black Kite achieves continuous risk monitoring on a cyber-security level.