Security researchers have warned that as many as 100,000 customers of a UK-based printing company including military organizations may have had sensitive personal and business documents exposed in another cloud leak.
Researchers at vpnMentor found the misconfigured Amazon Web Services S3 bucket on January 22. They quickly discovered its owner was Doxzoo, a British document printing and binding company with global clients.
However, despite boasting multiple ISO accreditations on its website, including information security standard ISO 27001, the firm never responded to vpnMentor’s outreach and only closed the leak around 20 days later when the researchers reached out directly to AWS.
The 343GB database itself contained over 270,000 records from a range of clients, including “complete scripts and screenplays, full-length books, sought-after paid wellness plans and internal military handbooks,” vpnMentor said.
“They also get requests from private individuals who order family scrapbooks (complete with pictures of the kids), bachelorette souvenirs with potentially compromising photos of the bride-to-be, and more,” it continued.
“Additionally, Doxzoo seems to regularly request full scans of photo IDs (such as passports) to fulfill orders.”
Affected customers came from the UK, US, Nigeria, India, Sri Lanka and potentially elsewhere.
The data leak could have led to identity theft of individual customers whose personal information was exposed, and potentially more serious compromise of military security, the researchers claimed.
There are also potential copyright issues if hackers had decided to upload the works they found in the trove to a sharing site. Alongside full-length books and screenplays, the vpnMentor team claimed to have found scripts for one of the world’s “top TV series.”
The privacy snafu is just the latest in a long line uncovered by vpnMentor. Others include a data leak from Canadian telco Freedom Mobile, Best Western Hotels and Resorts Group; sports retailer Decathlon and photo app PhotoSquared.