News Hub

750,000 US birth certificate applications exposed in cloud data leak

Written by Tue 10 Dec 2019

Stockpile of birth and death certificates exposed on unprotected AWS storage bucket 

More than 752,000 US birth certificate applications have been discovered in an unsecured cloud storage container, leaving hoards of personal information there for the taking, TechCrunch reports.

The certificates were stored by an unnamed company that enables people to obtain copies of birth and death documents from state governments in the United States.

Fidus Information Security, a UK-based penetration testing company, discovered the certificates on an unprotected Amazon Web Services storage bucket, allowing anyone who could guess the straightforward URL to access the treasure trove of sensitive information.

Personal information contained in the records includes names, dates of birth, home addresses, emails and phone numbers, names of family members, past addresses and reasons for application.

Although the stored certificates date back to 2017, the company has been topping up the bucket on a daily basis this year. TechCrunch, who verified the authenticity of the certificates against public records, said 9,000 were added to the storage container in a single week. TechCrunch and Fidus alerted the company to the exposed data via email but no action was taken. Amazon said it would inform the company.

The leak is yet another instance of a company failing to secure data stored using online storage services. According to cyber threat analyst Digital Shadows, over 2.3 billion files were found on misconfigured or non-secured storage technologies between June 2018 and May 2019. AWS storage buckets accounted for 8 percent of those exposed.

Cyber security experts warned the information could be used by criminals to conduct identity theft and fraud.

“Due to the high amount of consumer data provided by individuals requesting birth certificate copies and on the actual birth certificates, these applications are a fraudster’s dream come true,” said Robert Prigge, CEO of cyber security company Jumio.

“The data compromised here will ultimately end up on the dark web and in the hands of bad actors who can then use it to impersonate others or to create synthetic identities by pairing stolen Social Security numbers with the names, dates of birth and other compromised personal information.”

Written by Tue 10 Dec 2019

Send us a correction Send us a news tip