Update: On the morning of 11 December 2019, Gizmodo published a story on Spartan Technology based on UpGuard's analysis. At 7pm EDT that night, Spartan Technology contacted Gizmodo to state that the data was for testing and the names had been "shuffled" to no longer correlate with their social security numbers and other data points. Both UpGuard and Gizmodo had been in contact with Spartan Technology prior to publication of their respective articles. Read more on Gizmodo.
The UpGuard Research team can now disclose that a cloud storage bucket containing personally identifiable information (PII) for thousands of people in the South Carolina justice system has been secured. An employee of Spartan Technology, a South Carolina tech company, had uploaded a collection of backups to the AWS S3 storage service. The data collection included four MSSQL database backups, weighing in at around 14 gigabytes each, with information regarding 5.2 million arrest events, individuals charged with crimes, the alleged victims, and witnesses (if any). Only names and phone numbers were present for victims and witnesses. In a significant number of arrestee records, the database included full names, dates of birth, phone numbers, drivers license numbers, and approximately 17,000 unique social security numbers. Fortunately, in what should be considered a successful incident response, the company involved responded quickly and responsibly to secure the sensitive data.
Discovery and Response
On November 19, 2019 an UpGuard researcher identified several files within the AWS S3 bucket as downloadable and soon after verified the files contained sensitive information about real individuals. The owner of the data was believed to be Spartan Technology from a combination of the name of the bucket, a company logo, and information in the database backups. Chris Vickery notified the company via email and phone about the data leak. That day the company responded to UpGuard's notification, identified the owner of the bucket, and removed public access. This kind of active and open engagement with a security researcher should be lauded, as it speeds up response time and ultimately reduces the risk to the individuals affected.
The most significant portions of the exposed data were a set of four files that combined to form one large database backup. After restoring the database from these files in an offline instance of Microsoft SQL, the total size was a little over 60 gigabytes, and the dates showed the records were generated from 2008 to 2018, when the backup was created. Spartan Technology was able to confirm that the database was part of a system used by district attorneys in South Carolina, which aligns with the types of data present. Many of the tables contained information which would be relevant to the administration of cases.
One table had records for people charged with crimes and contained approximately five million rows. One column contained a property called "person id," and the count of unique numbers was over 26,000– the best hint for the number of unique arrestees. Given that this data was collected over a decade, it represents only a fraction of the total arrestees in South Carolina, but a sizeable portion nonetheless. Currently, approximately 38,000 people are incarcerated in South Carolina and 74,000 are in the criminal justice system.
The table documenting events related to crime had over a hundred columns, many labeled with opaque acronyms, but among the more obvious fields corresponded to full name, home and mobile phone, date of birth, social security number, height and weight, race, and military or juvenile status. Analysts confirmed the existence of entries marked as being members of the military and juveniles.
A second table contained 13 million rows due to the inclusion of non-defendant individuals (relevant officers, victims, and witnesses) in addition to defendant data (much of the same data for criminal defendants as in the table discussed above). As before, that does not represent the number of unique individuals involved– there were 26,000 unique “PersonID” numbers, each assigned to a defendant.
Taken together, the data set offered a view of the personal information of defendants, witnesses, and victims that was intended only for use by district attorneys as authorized representatives of the state. Disparities in the criminal justice system itself then trickled down to the those affected by data exposures. In South Carolina as a whole, twenty-two percent of the general population is Black compared to sixty-two percent of the jail and prison population. The data in this exposure tracked with that trend, with approximately seventy-five percent of the arrest events involving a person whose race was recorded as "B."
The UpGuard research has shown for years that data leaks like this one are widespread problem that can affect organizations of every size in every industry. The ways in which data are exposed are in many ways similar– process errors and misconfigurations– but the ramifications vary by the kind of data particular to the sector. Individuals charged with crimes have no choice whether to consent to data collection requirements put on them by the state. The reliance on a digital supply chain for the administration of those cases then creates risk for that data to be inadvertently exposed. Given that this is a universal challenge facing all businesses, the capability that distinguishes those most deserving of their customers' trust is how they handle such incidents, and in that regard Spartan Technology's response was exemplary.