The UpGuard Cyber Risk Team can now disclose that sensitive data from the Los Angeles County 211 service, a nonprofit assistance organization described on their website as “the central source for providing information and referrals for all health and human services in LA County,” was publicly exposed online. The contents of the downloadable files include access credentials for those operating the 211 system, email addresses for contacts and registered resources of LA County 211, and most troubling, detailed call notes. These notes describe the reason for the calls, including personally identifying information for people reporting the problem, persons in need, and, where applicable, their reported abusers. Included in the more than 3 million rows of call logs are 200,000 rows of detailed notes, including graphic descriptions of elder abuse, child abuse, and suicidal distress, raising serious, large-scale privacy concerns. In many of these cases, full names, phone numbers, addresses, and even 33,000 instances of full Social Security numbers are revealed among the data. This information was stored in an Amazon AWS S3 bucket configured to be publicly and anonymously accessible. Though some of the files in the bucket were not publicly downloadable, those that were included Postgres database backups and CSV exports of that data, with hundreds of thousands of rows of sensitive personal information. Despite 211’s dedication to preserving the confidentiality of reports, a technical misconfiguration - in this case, an inadvertently public cloud storage instance - exposed not only email addresses and weakly hashed passwords for LA County 211 employees, but six years of highly sensitive call logs regarding some of the most vulnerable people in LA County.
The UpGuard Cyber Risk Team can now confirm that a cloud storage repository containing information belonging to LocalBlox, a personal and business data search service, was left publicly accessible, exposing 48 million records of detailed personal information on tens of millions of individuals, gathered and scraped from multiple sources.
The UpGuard Cyber Risk Team’s discovery and analysis of an exposed data repository belonging to AggregateIQ (AIQ), a British Columbia-based data firm, has taken readers around the globe, implicating a number of high-profile political customers in a number of countries. Part One of “The AggregateIQ Files” offered an exclusive look at how exposed technical tools designed for the presidential campaign of Senator Ted Cruz (R-TX) shed light on AIQ’s relationship with Cambridge Analytica - an embattled analytics shop recently revealed to have misused data from 87 million Facebook user accounts. In Part Two, we examined how the repository’s contents revealed AIQ’s work on behalf of a variety of political pressure groups in the United Kingdom - most of them heavily involved in the successful 2016 effort to vote to leave the European Union. In Part Three, we took a closer look at the tools revealed to have been built and stored in the unsecured repository - technical mechanisms capable of highly sophisticated tracking and microtargeting of individuals across the internet. In this installment, Part Four of “The AggregateIQ Files,” we return to examine data revealed in the exposure showing AIQ’s involvement in political efforts closer to its home base of Victoria, British Columbia. While AggregateIQ’s work on behalf of a number of Canadian politicians is already known, this data provides clear insight into what specific assets were built and possessed by AIQ for their clients, along with previously unreported information - including about exposed credentials and passwords.
In Part One of this series, “The AggregateIQ Files,” we explained how the UpGuard Cyber Risk Team’s discovery of a publicly downloadable data repository operated by British Columbia-based data firm AggregateIQ (AIQ) exposed technical tools used for political operations around the world, including the presidential campaign of Senator Ted Cruz (R-TX). In Part Two, we explored how the exposed repository shed light on AIQ’s work in the United Kingdom involving a number of organizations, including a Northern Irish political party crucial to Prime Minister Theresa May’s government and the official campaign in favor of the UK’s exit from the European Union.
In an incident that calls to mind multiple data breaches in the analytics and influencing industries, the UpGuard Cyber Risk Team can now report that data relating to a number of subsidiaries of Kansas City holding company Blue Chair LLC, such as lead generation company Target Direct Marketing, was left exposed online, revealing personally identifiable information for over one million individuals seeking further information about higher education. Revealed in the repository are personal details for these million individuals, including their names, email addresses, phone numbers, and, in some cases, information such as the person’s high school graduation year and area of study. Also exposed in this leak are what appear to be backups of a set of server configurations for a large network of feeder websites designed to draw consumers toward the for-profit education application process.
Our recent discovery and analysis of publicly downloadable code repositories originating from data analytics firm AggregateIQ has answered a few questions, but raised many more. In Part One of “The AggregateIQ Files,” we explained how the data exposed from within this development repository appear to corroborate existing evidence and accusations that AggregateIQ and Cambridge Analytica, an embattled and highly controversial data firm, work closely together, on projects that appear customized for Cambridge Analytica clients like Texas Senator Ted Cruz.
The UpGuard Cyber Team’s latest discovery of a data leak, involving the exposed IT assets of a data analytics firm based in British Columbia, Canada, presents significant questions for society about how technology can be used. In this first installment of a multipart series titled “The AIQ Files,” we begin to explain the importance of the data revealed from a publicly exposed AggregateIQ repository, and how it relates to recent US political history.
The UpGuard Cyber Risk Team can now confirm that a digital data repository containing records from a Long Island medical practice was left publicly accessible, revealing medical details and personally identifiable information for over forty-two thousand patients. As detailed here and at databreaches.net, this data exposure appears to originate from Cohen Bergman Klepper Romano Mds PC, a Huntington, New York practice specializing in internal medicine and cardiovascular health, revealing such details as patient names, Social Security numbers, dates of birth, phone numbers, insurance information, and more.
(UPDATE 3/8/1018) After consultation with Capital One’s legal team and technical teams, UpGuard was informed that Capital One’s system security was not impacted by this matter, and UpGuard has therefore updated its post.
In a blow to consumer privacy that recalls previous breaches in the credit repair and marketing industries, the UpGuard Cyber Risk Team can now disclose that the Maryland Joint Insurance Association (JIA), a private-sector program providing property insurance in the state, exposed personally identifiable information for thousands of individuals to the public internet via a misconfigured storage device. This data exposure once again underscores the ease with which highly sensitive, personally identifiable information can leak online - in this instance, through an open port on an internet-connected device.
In a striking illustration of how cyber risk affects even the newest and most novel enterprises in the digital economy, the UpGuard Cyber Risk Team can now disclose that a cloud repository belonging to Octoly, a Paris-based brand marketing company, was left exposed, revealing a backup of their enterprise IT operations and sensitive information about thousands of the firm’s registered online personalities. The leak, which resulted from the erroneous configuration of the repository for public access, revealed the contact information and personal details of over twelve thousand influential "creators" - largely Instagram, Twitter, and YouTube personalities supplied by Octoly with beauty products, merchandise, and gaming content from the marketing firm’s industry clients, which include household names like Dior, Estée Lauder, Lancôme, and Blizzard Entertainment.
In another blow to consumer privacy, the UpGuard Cyber Risk Team can now reveal that a cloud-based data repository containing data from Alteryx, a California-based data analytics firm, was left publicly exposed, revealing massive amounts of sensitive personal information for 123 million American households. Exposed within the repository are massive data sets belonging to Alteryx partner Experian, the consumer credit reporting agency, as well as the US Census Bureau, providing data sets from both Experian and the 2010 US Census. While the Census data consists entirely of publicly accessible statistics and information, Experian’s ConsumerView marketing database, a product sold to other enterprises, contains a mix of public details and more sensitive data.Taken together, the exposed data reveals billions of personally identifying details and data points about virtually every American household.
Coming only months after the revelation that the personal information of over 143 million Americans had been stolen from the systems of credit agency Equifax, the UpGuard Cyber Risk Team has discovered a new, damaging exposure from within a financial firm, which, beyond revealing critical internal data, also exposes customer information compiled by all three major credit agencies. This highly concentrated level of exposure, thoroughly revealing customer credit history several times over, serves to highlight the myriad dangers a single exposure can unleash.
In the wake of a string of data exposures originating from Pentagon intelligence-gathering agencies, the most recent of which revealed the workings of a massive, worldwide social media surveillance program, the UpGuard Cyber Risk Team can now disclose another. Critical data belonging to the United States Army Intelligence and Security Command (INSCOM), a joint US Army and National Security Agency (NSA) Defense Department command tasked with gathering intelligence for US military and political leaders, leaked onto the public internet, exposing internal data and virtual systems used for classified communications to anyone with an internet connection. With a middling CSTAR cyber risk score of 589 out of a maximum of 950, INSCOM’s web presence provides troubling indications of gaps in their cybersecurity - exemplified by the presence of classified data within this publicly accessible data repository.
The UpGuard Cyber Risk Team can now disclose that three publicly downloadable cloud-based storage servers exposed a massive amount of data collected in apparent Department of Defense intelligence-gathering operations. The repositories appear to contain billions of public internet posts and news commentary scraped from the writings of many individuals from a broad array of countries, including the United States, by CENTCOM and PACOM, two Pentagon unified combatant commands charged with US military operations across the Middle East, Asia, and the South Pacific.
The UpGuard Cyber Risk Team can now reveal that Accenture, one of the world’s largest corporate consulting and management firms, left at least four cloud storage buckets unsecured and publicly downloadable, exposing secret API data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both Accenture and its clients. The buckets' contents appear to be the software for the corporation’s enterprise cloud offering, Accenture Cloud Platform, a “multi-cloud management platform” used by Accenture’s customers, which “include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500” - raising the possibility that, if valid, exposed Accenture data could have been used for critical secondary attacks against these clients. With a CSTAR cyber risk score of 790 out of a possible 950, this cloud leak shows that even the most advanced and secure enterprises can expose crucial data and risk serious consequences.
The UpGuard Cyber Risk Team can now disclose that Viacom Inc, the Fortune 500 corporation that owns Paramount Pictures, as well as cable channels like MTV, Comedy Central, and Nickelodeon, exposed a vast array of internal access credentials and critical data that could be used to cause immense harm to the multinational corporation’s business operations. Exposed in the leak are a master provisioning server running Puppet, left accessible to the public internet, as well as the credentials needed to build and maintain Viacom servers across the media empire’s many subsidiaries and dozens of brands. Perhaps most damaging among the exposed data are Viacom’s secret cloud keys, an exposure that, in the most damaging circumstances, could put the international media conglomerate’s cloud-based servers in the hands of hackers. Such a scenario could enable malicious actors to launch a host of damaging attacks, using the IT infrastructure of one of the world’s largest broadcast and media companies.
The UpGuard Cyber Risk Team can now disclose that a publicly accessible cloud-based data repository of resumes and applications for employment submitted for positions with TigerSwan, a North Carolina-based private security firm, were exposed to the public internet, revealing the sensitive personal details of thousands of job applicants, including hundreds claiming “Top Secret” US government security clearances. TigerSwan has recently told UpGuard that the resumes were left unsecured by a recruiting vendor that TigerSwan terminated in February 2017. If that vendor was responsible for storing the resumes on an unsecured cloud repository, the incident again underscores the importance of qualifying the security practices of vendors who are handling sensitive information.
UpGuard’s Cyber Risk Team can now disclose that a data repository owned and operated by Omaha-based voting machine firm Election Systems & Software (ES&S) was left publicly downloadable on a cloud-based storage site, exposing the sensitive data of 1.8 million Chicago voters. The database, which included voter names, addresses, phone numbers, driver’s license numbers, and partial Social Security numbers, appeared to have been produced around the time of 2016 general election for the Chicago Board of Election Commissioners, an ES&S customer since 2014.
The UpGuard Cyber Risk Team has discovered a new data exposure within the systems of Texas-based electrical engineering operator Power Quality Engineering (PQE) , revealing the information of such clients as Dell, the City of Austin, Oracle, and Texas Instruments, among others. Left accessible to the wider internet via a port configured for public access and used for rsync server synchronization, the breach allowed any interested browser to download sensitive electrical infrastructure data compiled in reports by PQE inspectors examining customer facilities.
The UpGuard Cyber Risk Team can now report that a cloud-based file repository owned by financial publishing firm Dow Jones & Company, that had been configured to allow semi-public access exposed the sensitive personal and financial details of millions of the company’s customers. While Dow Jones has confirmed that at least 2.2 million customers were affected, UpGuard calculations put the number closer to 4 million accounts.
UpGuard’s Cyber Risk Team can now report that a misconfigured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon, per analysis of the average number of accounts exposed per day in the sample that was downloaded. The cloud server was owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon.
In what is the largest known data exposure of its kind, UpGuard’s Cyber Risk Team can now confirm that a misconfigured database containing the sensitive personal details of over 198 million American voters was left exposed to the internet by a firm working on behalf of the Republican National Committee (RNC) in their efforts to elect Donald Trump. The data, which was stored in a publicly accessible cloud server owned by Republican data firm Deep Root Analytics, included 1.1 terabytes of entirely unsecured personal information compiled by DRA and at least two other Republican contractors, TargetPoint Consulting, Inc. and Data Trust. In total, the personal information of potentially near all of America’s 200 million registered voters was exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as “modeled” voter ethnicities and religions.
In what constitutes the latest in a series of blows to the US intelligence community’s reputation for stringent information security, UpGuard’s Cyber Resilience Team can now reveal the discovery by Cyber Risk Analyst Chris Vickery of a publicly exposed file repository containing highly sensitive US military data. Analysis of the exposed information suggests the overall project is related to the US National Geospatial-Intelligence Agency (NGA), a combat support and intelligence agency housed within the Department of Defense (DoD).
Whether browsing the internet on a mobile device, or maintaining dozens of servers, we place trust in the security and integrity of the systems to which we are entrusting our most valuable data. With every decision we make to trust in such systems, we expose ourself a bit more to the risk that a breach might compromise this information. With every permission granted, every personal detail entered, you open yourself up a bit more to such a possibility. This is cyber risk: a fact of life in the world of today, endemic to any activity relying on internet-facing technology.