Overview
In a significant data breach, over 752,000 copies of birth certificate applications have been exposed on the internet. This alarming incident, discovered by the British cybersecurity firm Fidus Information Security and reported by TechCrunch on December 9th, 2019, involves an unnamed American company that specializes in managing copies of civil acts online.
Sensitive Information Freely Accessible
The leaked data includes sensitive information such as names, dates of birth, addresses, emails, phone numbers, historical requests, previous addresses, names of family members, and, most crucially, the reason for the request. This information was freely accessible via simple, easy-to-guess URLs and was not protected by any password. The breach is believed to affect individuals residing in California, New York, and Texas who made their claims in 2017.
Names, first names, dates of birth, addresses, emails, phone numbers ... but also historical requests, previous addresses, names of family members and especially the reason for the request was freely accessible via simple easy-to-guess URLs and not protected by any password. The leak would affect peoples residing in California, New York, and Texas, for claims made in 2017.
Data Stored in Amazon Web Services
The company responsible for the leak offers an online service that allows US citizens to obtain copies of their birth and death certificates from state governments. According to reports, the company stored the personal information in Amazon Web Services (AWS).
Data Downloadable by Any Internet User
The 752,000 copies of birth certificate applications were not only accessible without a password but were also downloadable in a single click. Additionally, the leak listed 90,400 death certificate applications. However, these were neither accessible nor downloadable. Cybersecurity experts have warned that this information could be used by criminals to conduct identity theft and fraud.
Potential Consequences of the Leak
The compromised data is likely to end up on the dark web and in the hands of malicious actors. They could use this information to impersonate others or create synthetic identities by pairing stolen Social Security numbers with the compromised personal information.
Lack of Response from the Company and Amazon
Despite several emails sent by Fidus and TechCrunch to warn about the exposed data, the company only responded with automated emails and took no action. Amazon, when contacted, refused to intervene but stated that it would inform the customer.
Conclusion
This massive leak of birth certificate applications underscores the urgent need for robust data security measures. It serves as a stark reminder to companies handling sensitive information to prioritize data protection and to ensure that they are not inadvertently exposing their customers to potential identity theft and fraud.
