US municipalities suffer data breach due to misconfigured Amazon S3 buckets

More than 1,000 GB of data and over 1.6 million files from dozens of municipalities in the US were left exposed, according to a new report from a team of cybersecurity researchers with security company WizCase.

All of the towns and cities appeared to be connected through one product: mapsonline.net, which is owned by a Massachusetts company called PeopleGIS. The company provides information management software to local governments across Massachusetts, New Hampshire and Connecticut.

WizCase's team of ethical hackers, led by Ata Hakçıl, discovered more than 80 misconfigured Amazon S3 buckets holding data related to these municipalities. The data ranged from residential records like deeds and tax information to business licenses and job applications for government positions.

According to the researchers, WizCase's scanner revealed 114 Amazon Buckets that were named after the same pattern, revealing the connection to PeopleGIS. Among these, 28 appeared to be properly configured (meaning they weren't accessible), and 86 were accessible without any password nor encryption.

Mohit Tiwari, Co-Founder and CEO at Symmetry Systems, explains that, "S3 buckets and data object policies are complex and easy to get wrong. This complexity is partly because AWS has created several iterations of permissions over the years, and partially because product teams have to ship quickly and security decisions are not revisited. This is especially true in smaller organizations without dedicated cloud-security teams."

Tiwari adds, "At the same time, organizations, such as Netflix and others, demonstrate (and share open-source) great tools to create infrastructure with best security practices built-in. The good news for organizations is that small investments in creating a 'paved path' for their product teams is likely to reduce their attack surface significantly, without slowing them down."

The type of files exposed varied by municipality. This variance and the number of municipalities involved means there was no way to give a clear estimate of the number of people left vulnerable in this breach. The type of documents exposed includes business licenses, residential records such as deeds, tax information, and resumes for applicants to government jobs. Information exposed in the breach include (but isn’t limited to):

Email address
Physical address
Phone number
Drivers license number
Real estate tax information
Photographs of individuals (on drivers licenses)
Photographs of properties
Building and city plans

Some of the vulnerable documents were redacted, but they were digitally redacted using transparent tools like a marker. This means whoever found them could change the contrast level of the document in a photo editor and see the redacted information. This means even documents that were redacted were potentially vulnerable in this breach. Ultimately, the breach could lead to massive fraud and theft from citizens of those municipalities, as it contains highly-sensitive data within a local government's database.

"Cyber asset visibility is the fundamental problem that is causing these types of issues," says Tyler Shields, CMO at JupiterOne. "The speed at which companies are moving to the cloud and building cloud native technologies is resulting in rapid growth in security problems from misconfiguration and a lack of asset visibility. Having up to date configuration, security, and asset visibility is the foundation upon which a strong security program is built.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.