The UpGuard Cyber Risk Team can now disclose that sensitive data from the Los Angeles County 211 service, a nonprofit assistance organization described on their website as “the central source for providing information and referrals for all health and human services in LA County,” was publicly exposed online. The contents of the downloadable files include access credentials for those operating the 211 system, email addresses for contacts and registered resources of LA County 211, and most troubling, detailed call notes. These notes describe the reason for the calls, including personally identifying information for people reporting the problem, persons in need, and, where applicable, their reported abusers. Included in the more than 3 million rows of call logs are 200,000 rows of detailed notes, including graphic descriptions of elder abuse, child abuse, and suicidal distress, raising serious, large-scale privacy concerns. In many of these cases, full names, phone numbers, addresses, and even 33,000 instances of full Social Security numbers are revealed among the data. This information was stored in an Amazon AWS S3 bucket configured to be publicly and anonymously accessible. Though some of the files in the bucket were not publicly downloadable, those that were included Postgres database backups and CSV exports of that data, with hundreds of thousands of rows of sensitive personal information. Despite 211’s dedication to preserving the confidentiality of reports, a technical misconfiguration - in this case, an inadvertently public cloud storage instance - exposed not only email addresses and weakly hashed passwords for LA County 211 employees, but six years of highly sensitive call logs regarding some of the most vulnerable people in LA County.
In an incident that calls to mind multiple data breaches in the analytics and influencing industries, the UpGuard Cyber Risk Team can now report that data relating to a number of subsidiaries of Kansas City holding company Blue Chair LLC, such as lead generation company Target Direct Marketing, was left exposed online, revealing personally identifiable information for over one million individuals seeking further information about higher education. Revealed in the repository are personal details for these million individuals, including their names, email addresses, phone numbers, and, in some cases, information such as the person’s high school graduation year and area of study. Also exposed in this leak are what appear to be backups of a set of server configurations for a large network of feeder websites designed to draw consumers toward the for-profit education application process.
The UpGuard Cyber Team’s latest discovery of a data leak, involving the exposed IT assets of a data analytics firm based in British Columbia, Canada, presents significant questions for society about how technology can be used. In this first installment of a multipart series titled “The AIQ Files,” we begin to explain the importance of the data revealed from a publicly exposed AggregateIQ repository, and how it relates to recent US political history.
In a blow to consumer privacy that recalls previous breaches in the credit repair and marketing industries, the UpGuard Cyber Risk Team can now disclose that the Maryland Joint Insurance Association (JIA), a private-sector program providing property insurance in the state, exposed personally identifiable information for thousands of individuals to the public internet via a misconfigured storage device. This data exposure once again underscores the ease with which highly sensitive, personally identifiable information can leak online - in this instance, through an open port on an internet-connected device.
In a striking illustration of how cyber risk affects even the newest and most novel enterprises in the digital economy, the UpGuard Cyber Risk Team can now disclose that a cloud repository belonging to Octoly, a Paris-based brand marketing company, was left exposed, revealing a backup of their enterprise IT operations and sensitive information about thousands of the firm’s registered online personalities. The leak, which resulted from the erroneous configuration of the repository for public access, revealed the contact information and personal details of over twelve thousand influential "creators" - largely Instagram, Twitter, and YouTube personalities supplied by Octoly with beauty products, merchandise, and gaming content from the marketing firm’s industry clients, which include household names like Dior, Estée Lauder, Lancôme, and Blizzard Entertainment.
UpGuard’s Cyber Risk Team can now disclose that a data repository owned and operated by Omaha-based voting machine firm Election Systems & Software (ES&S) was left publicly downloadable on a cloud-based storage site, exposing the sensitive data of 1.8 million Chicago voters. The database, which included voter names, addresses, phone numbers, driver’s license numbers, and partial Social Security numbers, appeared to have been produced around the time of 2016 general election for the Chicago Board of Election Commissioners, an ES&S customer since 2014.
UpGuard’s Cyber Risk Team can now report that a misconfigured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon, per analysis of the average number of accounts exposed per day in the sample that was downloaded. The cloud server was owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon.