TechCrunch reported Monday that an unsecured Amazon Web Services (AWS) bucket exposed more than 752,000 applications for copies of birth certificates. The applications dated back to late 2017, according to the report, and more applications were being added to the storage utility every day ahead of the report's publication.
The unsecured AWS bucket was discovered by a penetration testing company called Fidus. TechCrunch said the applications revealed "the applicant’s name, date of birth, current home address, email address, phone number and historical personal information, including past addresses, names of family members and the reason for the application — such as applying for a passport or researching family history."
That personal information could easily be used to scam unsuspecting victims with targeted attacks. Someone might also be able to use it to commit identity fraud or gain access to secure accounts. People often use street names from past addresses as part of their passwords, for example, and use their mother's maiden name as a security question. This data could be incredibly valuable to the right people.
TechCrunch didn't identify the company that exposed this information in the report. It did say that it contacted Amazon, however, which "would not intervene but said it would inform the customer." That's not particularly surprising; Amazon was also slow to respond when UpGuard revealed that an unsecured AWS bucket exposed the personal information of 540 million Facebook users earlier this year.
It seems the company responsible for this privacy blunder hasn't taken it particularly seriously, either. TechCrunch said that "Fidus and TechCrunch sent several emails prior to publication to warn of the exposed data, but we received only automated emails and no action was taken." That means some 752,000 people across multiple states, including New York, Texas and California, currently remain exposed.