sb-nz logo
Story image

LPM Property Management leaves Amazon S3 buckets unsecured

16 Jul 2020

New Zealand property management firm LPM Property Management left more than 31,000 images of private personal information exposed on an Amazon Simple Storage Solution (S3) database, according to one security researcher.

As originally reported on CyberNews, researcher Jake Dixon raised the alarm after finding the images of people’s driver’s licences, passports, age documents, and images of maintenance requests – i.e. damaged property.

CyberNews published examples of the passport and driver licence pictures, with personal information redacted for privacy reasons. However, this information would have been easily accessible to anyone who had access to the right URL.

Dixon tried to contact LPM Property Management to let the company know about the unsecured information, however it did not respond to requests.  Instead, Dixon worked with Amazon Web Services to secure the database.

Techday reached out to LPM Property Management for comment. A spokesperson from the firm says:

"We take the protection of our clients' data very seriously. That's why we promptly dealt with this issue once we were made aware of it. The data is fully protected after our external technical contractor acted to ensure it was safe. There is no evidence at all to suggest any unauthorised access."

"It appears that initially a design flaw in the website prepared for us created a problem which was quickly rectified. We are now moving at pace to satisfy our clients and ourselves that all necessary steps have been taken to ensure this does not happen again. Our review will continue throughout the day. We expect to be in a position to update our clients tomorrow."

LPM is one of many firms to have allegedly left Amazon S3 buckets unsecured. Just last month, remote learning platform OneClass left an S3 bucket unsecured, exposing names, emails, education history, account details, and enrolment details.

In January, a US-based cannabis retailer left an S3 bucket open, exposing private personal information.

In July 2019, some Fortune 500 companies including Netflix and Ford were caught out by unsecured S3 buckets belonging to IT firm Attunity. The buckets contained a terabyte of data that included email backups, account backups, and much more.

But that’s not all – Booz Allen Hamilton, Facebook, WWE, Verizon, Time Warner, Accenture, and even the Pentagon have fallen victim to unsecured S3 buckets.

AWS itself has repeatedly warned users about the dangers of unsecured S3 buckets. In 2017, the company rolled out several security features including the option of default encryption.

“You can now mandate that all objects in a bucket must be stored in encrypted form by installing a bucket encryption configuration. If an unencrypted object is presented to S3 and the configuration indicates that encryption must be used, the object will be encrypted using encryption option specified for the bucket (the PUT request can also specify a different option),” the company said in a blog post from November 2017.

It seems the security message is still not getting through to many companies and breaches continue to put data at serious risk worldwide.

According to Experian, United States Passports can fetch up to US$1000-2000 on the dark web – the most valuable pieces of information. Driver’s licences can be worth up to US$20. 

Story image
Infrastructure-as-code, and how it can secure the cloud
Bridgecrew recognised IaC early on as one of the best ways for modern teams to delegate security ownership to individual contributors while distributing it across existing frameworks within CI/CD pipelines. This attribute meant that IaC was invaluable in securing cloud-native environments.More
Story image
ThreatQuotient hits $22.5m in new financing, continues growth streak
“Since we first invested in ThreatQuotient in 2017, their team has continued to prove to the market that there is a critical need for cybersecurity solutions aimed at security operations."More
Story image
AvePoint brings Salesforce Cloud Backup to channel partners
The product adds to the AvePoint suite of trusted Cloud Backup for Microsoft 365 and Dynamics 365 to provide managed service providers with backup and restore capabilities across multiple, popular SaaS providers.More
Story image
IT leaders prioritising automation, Zero Trust and API-based security investments
"The study shows that a cocktail of multiplying threats, the proliferation of hybrid and cloud architectures, blended with a pandemic-fuelled explosion in distributed and remote work has created a perfect storm for network security teams."More
Story image
Advanced threat actors engaged in cyberespionage up their game
"This recent activity signals a major leap in their abilities."More
Story image
WatchGuard names new regional director for A/NZ
Anthony Daniel says, "I look forward to continuing to drive our business strategy, grow our channel and to supporting business growth Australia and New Zealand and the Pacific islands."More