sb-nz logo
Story image

LPM Property Management leaves Amazon S3 buckets unsecured

16 Jul 2020

New Zealand property management firm LPM Property Management left more than 31,000 images of private personal information exposed on an Amazon Simple Storage Solution (S3) database, according to one security researcher.

As originally reported on CyberNews, researcher Jake Dixon raised the alarm after finding the images of people’s driver’s licences, passports, age documents, and images of maintenance requests – i.e. damaged property.

CyberNews published examples of the passport and driver licence pictures, with personal information redacted for privacy reasons. However, this information would have been easily accessible to anyone who had access to the right URL.

Dixon tried to contact LPM Property Management to let the company know about the unsecured information, however it did not respond to requests.  Instead, Dixon worked with Amazon Web Services to secure the database.

Techday reached out to LPM Property Management for comment. A spokesperson from the firm says:

"We take the protection of our clients' data very seriously. That's why we promptly dealt with this issue once we were made aware of it. The data is fully protected after our external technical contractor acted to ensure it was safe. There is no evidence at all to suggest any unauthorised access."

"It appears that initially a design flaw in the website prepared for us created a problem which was quickly rectified. We are now moving at pace to satisfy our clients and ourselves that all necessary steps have been taken to ensure this does not happen again. Our review will continue throughout the day. We expect to be in a position to update our clients tomorrow."

LPM is one of many firms to have allegedly left Amazon S3 buckets unsecured. Just last month, remote learning platform OneClass left an S3 bucket unsecured, exposing names, emails, education history, account details, and enrolment details.

In January, a US-based cannabis retailer left an S3 bucket open, exposing private personal information.

In July 2019, some Fortune 500 companies including Netflix and Ford were caught out by unsecured S3 buckets belonging to IT firm Attunity. The buckets contained a terabyte of data that included email backups, account backups, and much more.

But that’s not all – Booz Allen Hamilton, Facebook, WWE, Verizon, Time Warner, Accenture, and even the Pentagon have fallen victim to unsecured S3 buckets.

AWS itself has repeatedly warned users about the dangers of unsecured S3 buckets. In 2017, the company rolled out several security features including the option of default encryption.

“You can now mandate that all objects in a bucket must be stored in encrypted form by installing a bucket encryption configuration. If an unencrypted object is presented to S3 and the configuration indicates that encryption must be used, the object will be encrypted using encryption option specified for the bucket (the PUT request can also specify a different option),” the company said in a blog post from November 2017.

It seems the security message is still not getting through to many companies and breaches continue to put data at serious risk worldwide.

According to Experian, United States Passports can fetch up to US$1000-2000 on the dark web – the most valuable pieces of information. Driver’s licences can be worth up to US$20. 

Story image
Insider threat report reveals deception in the workforce
Insider threats come from people inside an enterprise, whether they divulge proprietary information with nefarious intentions, or are just careless employees that unwittingly share sensitive data, writes Bitglass product marketing manager Juan Lugo.More
Story image
Lumen launches managed security services for APAC market
The new service is designed to provide enterprise businesses with a proactive, connected security strategy to enhance threat detection and protection across endpoints. More
Story image
Businesses left to make decisions based on old, inaccurate data, study finds
"It is more critical than ever that organisations have access to actionable, contextualised, near real-time threat data to power the network and application security tools they use to detect and block malicious actors."More
Story image
Why IT and HR must work together to help businesses weather the storm
Employers are striving to balance team productivity, security and employee engagement. If remote work is the new norm, it’s impossible to ignore the challenging nature of the situation, writes Gigamon manager for A/NZ George Tsoukas.More
Story image
Why organisations should wise up to the DDoS extortion trend
While it is essential to have a DDoS mitigation solution in place, it’s also important to test that it works as expected, writes NCC Group director of technical security consulting for Asia Pacific Tim Dillon.More
Story image
Cisco report: Remote working is here to stay, making cybersecurity a top priority
"With this new way of working here to stay and organisations looking to increase their investment in cybersecurity, there’s a unique opportunity to transform the way we approach security as an industry to better meet the needs of our customers and end-users.”More