itb-nz logo
Story image

LPM Property Management leaves Amazon S3 buckets unsecured

16 Jul 2020

New Zealand property management firm LPM Property Management left more than 31,000 images of private personal information exposed on an Amazon Simple Storage Solution (S3) database, according to one security researcher.

As originally reported on CyberNews, researcher Jake Dixon raised the alarm after finding the images of people’s driver’s licences, passports, age documents, and images of maintenance requests – i.e. damaged property.

CyberNews published examples of the passport and driver licence pictures, with personal information redacted for privacy reasons. However, this information would have been easily accessible to anyone who had access to the right URL.

Dixon tried to contact LPM Property Management to let the company know about the unsecured information, however it did not respond to requests.  Instead, Dixon worked with Amazon Web Services to secure the database.

Techday reached out to LPM Property Management for comment. A spokesperson from the firm says:

"We take the protection of our clients' data very seriously. That's why we promptly dealt with this issue once we were made aware of it. The data is fully protected after our external technical contractor acted to ensure it was safe. There is no evidence at all to suggest any unauthorised access."

"It appears that initially a design flaw in the website prepared for us created a problem which was quickly rectified. We are now moving at pace to satisfy our clients and ourselves that all necessary steps have been taken to ensure this does not happen again. Our review will continue throughout the day. We expect to be in a position to update our clients tomorrow."

LPM is one of many firms to have allegedly left Amazon S3 buckets unsecured. Just last month, remote learning platform OneClass left an S3 bucket unsecured, exposing names, emails, education history, account details, and enrolment details.

In January, a US-based cannabis retailer left an S3 bucket open, exposing private personal information.

In July 2019, some Fortune 500 companies including Netflix and Ford were caught out by unsecured S3 buckets belonging to IT firm Attunity. The buckets contained a terabyte of data that included email backups, account backups, and much more.

But that’s not all – Booz Allen Hamilton, Facebook, WWE, Verizon, Time Warner, Accenture, and even the Pentagon have fallen victim to unsecured S3 buckets.

AWS itself has repeatedly warned users about the dangers of unsecured S3 buckets. In 2017, the company rolled out several security features including the option of default encryption.

“You can now mandate that all objects in a bucket must be stored in encrypted form by installing a bucket encryption configuration. If an unencrypted object is presented to S3 and the configuration indicates that encryption must be used, the object will be encrypted using encryption option specified for the bucket (the PUT request can also specify a different option),” the company said in a blog post from November 2017.

It seems the security message is still not getting through to many companies and breaches continue to put data at serious risk worldwide.

According to Experian, United States Passports can fetch up to US$1000-2000 on the dark web – the most valuable pieces of information. Driver’s licences can be worth up to US$20.