Following a TechCrunch report, a US online company that issues birth certificate to individuals has exposed more than 752,000 applications. Fidus Information Security, has identified a case of negligent with the company that conducts online penetration testing, and seconded by TechCrunch.
The two companies discovered that the firm is storing the applications on an Amazon Web Services (AWS) cache that’s not properly protected by a password. By simply entering the “easy-to-guess” address of the cache in a browser, a malicious visitor could access the documents held within. TechCrunch hid the name of the company just to protect the privacy of those who used their service.
The app include information like the applicant’s name, their date of birth, current home address, email and phone number as well. They also included other details about people’s lives, like previous address, names of family members and the reason they applied to get the documents in the first place.
The cache also include applications that dated back to 2017. The company that maintains the database has inpute about 9,000 applications each day since TechCrunch started looking into it. The data cache includes some 90,400 death certificate applications, but TechCrunch says it wasn’t able to access or download any of those.
The worst is that, beyond automated emails, the company has not responded to messages. Although Amazon said it would notify the company of the leak.
Even though this exposure isn’t as huge as some that have happen in the past with other companies, it once again underscores the need for updated legislation related to how companies handle sensitive documents online.
Earlier this year, a ProPublica investigation discovered that the medical data of about 5 million Americans was quite easy to obtain online. Though the types of data were different, in both cases ProPublica and TechCrunch discovered s servers that weren’t even password protected.