A Utah company has exposed the sensitive information of more than 50,000 customers by storing data on an unsecured server.
The breach at Premier Diagnostics was discovered on February 22 by cybersecurity expert Bob Diachenko at consumer privacy watchdog Comparitech. Sensitive customer data stored in a publicly accessible database included scans of passports, health insurance ID cards, and driver's licenses.
Researchers found that the data of around 52,000 customers may have been impacted in the security incident. Based on the data seen by researchers, affected persons are mostly from Utah, Nevada, and Colorado.
"This data could be in anyone's hands now," said Comparitech's Paul Bischoff. "So, your ID and your medical card are probably somewhere on the dark web."
Premier Diagnostics, which is based in Lehi, operates 11 COVID-19 testing sites scattered across the northern section of the Beehive State. Before testing can take place, an individual who suspects that they have been infected with the novel coronavirus must provide a form of ID, which is then photographed and stored.
"They take a photo of your ID, the front and back of your ID and the front and back of your medical insurance card," said Bischoff. "They had stored all that data on a server that was publicly accessible online without a password."
After being alerted to the security breach, Premier Diagnostics took steps to secure the data, which has been unavailable to the public since March 1.
"We don't know for sure that any malicious parties got to it, but we've run honeypot experiments before where we see activity on that sort of unsecured data within a matter of hours," said Bischoff.
He added that by using equipment that scans for unsecured databases, cyber-criminals could have easily accessed and exfiltrated the data.
"It's low-hanging fruit; it's really easy," said Bischoff. "They use the same tools that we do, that we use to find the database in the first place, they use the same tools to find it and steal it."
In total, more than 200k images of ID scans were exposed in the data breach. However, no payment information was stored in the unsecured database.