Thousands of domestic violence victims have had their emergency distress messages exposed after a developer misconfigured a back-end AWS bucket.
Researchers at vpnMentor led by Noam Rotem and Ran Locar found the voice recordings stored on a publicly accessible AWS S3 bucket.
They were traced back to Aspire News, an application built by US non-profit When Georgia Smiled, which features an emergency help section via which domestic abuse victims can send their distress messages. It’s backed by US TV celebrity and clinical psychologist Dr Phil.
In total, the researchers found around 230MB of data, containing around 4000 voice recordings dating back to September 2017. Fortunately, once contacted, AWS informed the non-profit and the issue was shut down the same day.
However, the data exposed in the voice recordings was highly sensitive, including victims’ full names and home addresses, details of their circumstances and their abusers’ names and personal details.
Domestic violence cases are said to have surged dramatically during lockdown, when abusers are often confined at home with their victims for extended periods.
“Had malicious or criminal hackers accessed these recordings, they could be weaponized against both victims and abusers to pursue blackmail and extortion campaigns,” said vpnMentor.
“The potential devastation caused by such an outcome can’t be overstated, risking the health, emotional wellbeing and safety of all those impacted.”
Cloud configuration errors surged by 80% between 2018 and 2019, according to DivvyCloud by Rapid7.
“This particular instance is a critical reminder of the importance of securing data in the cloud,” said the firm’s co-founder, Chris DeRamus.
“By implementing a proactive and holistic approach to detecting risks and misconfigurations in the cloud in the build process, security lapses can be identified and remediated before data ever has a chance to be exposed.”