CYBERInsights: DATA Breach – 80+ US Municipalities left vulnerable in Massive Data Breach
CYBER BREACH: 80+ US Municipalities left vulnerable in Massive Data Breach
Posted By: Iain Fraser – Cybersecurity Journalist & Commentator, Gibraltar
https://IainFraserJournalist.Blogspot.com
Over 80 US Municipalities’ Sensitive Information, Including Resident’s Personal Data, Left Vulnerable in Massive Data Breach
A team of Ethical Hackers at WIZCASE led by Ata Hakçıl has found a major breach exposing a number of US cities, all of them using the same web service provider aimed at municipalities. This breach compromised citizens’ physical addresses, phone numbers, IDs, tax documents, and more. Due to the large number and various types of unique documents, it is difficult to estimate the number of people exposed in this breach. There was no need for a password or login credentials to access this information, and the data was not encrypted.
What’s Happening?
Over a 100 US cities appeared to be using the same product, mapsonline.net, provided by an American company named PeopleGIS. The data of these municipalities was stored in several misconfigured Amazon S3 buckets that were sharing similar naming conventions to MapsOnline. Due to this, we believe these cities are using the same software solution. The team reported the issue immediately and the buckets have since been secured.
PeopleGIS is a Massachusetts-based company specializing in information management software. Many city municipalities in the state of Massachusetts and a few in surrounding states like Connecticut and New Hampshire use their software and platforms to manage a variety of data.
Our scanner revealed 114 Amazon Buckets that were named after the same pattern, revealing the connection to PeopleGIS. Among these, 28 appeared to be properly configured (meaning they weren’t accessible), and 86 were accessible without any password nor encryption.
This means there are 3 options:
PeopleGIS created and handed over the buckets to their customers (all municipalities), and some of them made sure these were properly configured;
The buckets were created and configured by different employees at PeopleGIS, and there were no clear guidelines regarding the configuration of these buckets;
The Municipalities created the buckets themselves, with PeopleGIS guidelines about the naming format but without any guidelines regarding the configuration, which would explain the difference between the municipalities whose employees knew about it or not.
What Data Was Left Vulnerable?
The Wizcase Team discovered over 80 misconfigured Amazon S3 buckets holding data related to these municipalities, totalling over 1000 GB of data and over 1.6 million files. The type of files exposed varied by municipality. This variance and the number of municipalities involved means there was no way to give a clear estimate of the number of people left vulnerable in this breach. Learn More/…
Image Credit: Mike MacKenzie