Data leak exposes 750,000 birth certificate applications

Over 752,000 birth certificate applications have been exposed online by an unnamed company that enables people to obtain copies of their birth and death records from state governments in the United States, TechCrunch reports. Needless to say, the exposed cache of documents includes a variety of personal information.

The leak was reported by Fidus Information Security, a company specializing in penetration testing. The applications were found on the Amazon Web Services (AWS) cloud computing platform, sitting out in the open with no password protection whatsoever. This means anyone who could guess the relatively simple web address, including bad actors, could access the records.

Although the application process varies from state to state, the ultimate goal is the same – to allow people to acquire a copy of their records. These records include sensitive personal information such as the name, date of birth, current home address, email and phone number. On top of that, the applications also include the names of family members, historical information such as past addresses, or the reason behind applying for the documents.

The affected cache included applications dating all the way back to 2017. The company that runs the service added approximately 9,000 applications to the repository in a single week. The authenticity of the data was verified by TechCrunch by comparing them against public records.

As shocking as this leak may look at first glance, it is not an isolated case. Over a 12-month span between June 2018 and May 2019, a total of 2.3 billion files were discovered exposed online due to misconfigured or non-secured file storage and sharing technologies. Organizations’ Amazon S3 buckets accounted for 8 percent of the total exposure. On the other hand, AWS rolled out the ‘Block Public Access’ feature last year, which has mitigated the problem. But it has not stopped the problem entirely.

Data leaks from misconfigured public-facing file repositories may result in identity theft and fraud. Although this concrete case occurred in the United States, it’s worth noting that these kinds of security lapses may lead to stiff penalties under the European Union’s General Data Protection Regulation (GDPR).

10 Dec 2019 – 04:31PM