A Los Angeles County nonprofit that provides health and human services accidentally exposed about 3.2 million files on an unsecured AWS S3 bucket, according to the UpGuard cyber risk team.
211 LA County, a nonprofit organization serving LA County, was reportedly left publicly exposed online. The content revealed in the downloadable files was widespread. In addition to access credentials for the 211 system operators and email addresses for contacts, "included in the more than 3 million rows of call logs are 200,000 rows of detailed notes," UpGuard wrote in a 17 May post.
The call notes included personally identifiable information for people reporting the problem. Among those were “persons in need, and, where applicable, their reported abusers, including graphic descriptions of elder abuse, child abuse, and suicidal distress, raising serious, large-scale privacy concerns,” according to UpGuard.
The information, stored in an Amazon AWS S3 bucket located at the subdomain “lacounty,” was inadvertently misconfigured to be publicly and anonymously accessible, according to UpGuard. “Though some of the files in the bucket were not publicly downloadable, those that were included Postgres database backups and CSV exports of that data, with hundreds of thousands of rows of sensitive personal information,” the UpGuard post stated.
While the leak itself is not remarkable in size, the exposed information is highly sensitive, and is possibly the ultimate example of how important it is to know if the service you're using is risk-appropriate for the information being stored, said Sam Bisbee, CSO, Threat Stack.
“When you see an organization expose such sensitive data, it should serve as a reminder that companies must maintain an understanding of whether the service they use is risk-appropriate for the type of data they store there,” Bisbee said.
While UpGuard made efforts to contact 211 LA County after their 14 March analysis that revealed the sensitive information was accessible, they were not able to connect with a member of the 211 LA County information security team until 24 April.
UpGuard confirmed that after only 24 hours, the bucket was no longer publicly accessible. “Amazon S3 access rules can be set for both the bucket as a whole and for the files within it. In the case of the “lacounty” bucket, permission settings allowed anyone to list the contents; some of the files inside, however, had additional rules preventing public users from downloading them,” the UpGuard post said.
Threat Stack research indicates that nearly three-quarters of companies have critical AWS cloud security misconfigurations. “So, every reported cloud data leak is a lesson to companies that they need to proactively find ways to create transparency within their cloud infrastructure so that they can effectively manage the security of their data and systems,” Bisbee said.