The vpnMentor cybersecurity research team, led by Noam Rotem and Ran Locar, have uncovered an unsecured AWS S3 bucket with over 5.5 million files and more than 343GB in size that remains unclaimed.

In this case, after a few days of research, the research team identified the possibility that the data belongs to InMotionNow, and subsequently contacted the company with their findings. Although the unsecured S3 bucket is now closed, no one from the company ever responded to their attempts to reach out, so they are unable to confirm the ownership.

InMotionNow is a project management software company started in 1999 and headquartered near Raleigh, North Carolina. They boast FDA-compliant security standards, aimed at the verticals of their target customers.

Included here is a non-exhaustive list of the companies whose marketing material was found in the unsecured S3 bucket:

  • Cybersecurity firm ISC2.org had multiple data included in this breach as well.
  • Insurance company Brotherhood Mutual, which serves primarily religious institutions across the United States.
  • Universities, such as Kent State in Ohio and Purdue in Indiana, also had a plethora of files and information contained within the S3 bucket.
  • Potawatomi Hotel & Casino in Milwaukee, Wisconsin.
  • Consumer electronics company, Zagg (ZAGG), which designs and produces mobile accessories.
  • Non-profit organization, the Freedom Forum Institute, which fosters U.S. First Amendment freedoms for all.

Organizations affected by a variety of health industry regulations were found. They include, but may not be limited to:

  • Myriad Genetics (MYGN) – Genetic and disease testing company.
  • Performance Health – Physical Therapy equipment and supplies provider.

Data Impacted

  • Analytics reports
  • Internal presentations, including:
    • Company strategy
    • Annual revenue amounts
    • Current customer count
  • Training materials
  • Internal client requests, including:
    • Requester name
    • Project name and details
  • Marketing strategies and collateral
  • Product labels
  • Business intelligence
  • Mailing lists with relevant PII

University donor lists, including:

  • Full names
  • Personal and work emails
  • Direct phone numbers
  • Credentials (degree, school, year)
  • Amount donated

For more information and detailed findings, please visit https://www.vpnmentor.com/blog/report-multiple-firms-breach/