A misconfigured Amazon Web Services S3 bucket was recently found containing photos of driving licences of around 54,000 Australian citizens. The photos contained detailed personal information such as names, dates of birth, driving licence numbers, and home addresses.
The misconfigured S3 bucket was discovered by security researcher Bob Diachenko who said via a Twitter post that the bucket contained front and back images of more than 50,000 driving licences.
ABC News quoted Diachenko to state that the AWS S3 bucket was easily discoverable, contained as many as 108,535 back-and-front scans of driving licences of drivers who registered in New South Wales and was probably viewed and abused by malicious actors.
While Diachenko said the S3 bucket was most likely a part of the New South Wales RMS infrastructure, Transport for NSW said the collection of files did not belong to the department as it did not “retain, nor collect tolling data in the manner described.”
“Transport for NSW is, however, working with Cyber Security NSW to investigate the alleged data issue relating to an Amazon Web Services S3 bucket containing personal information including driver licences,” a department spokesperson said.
More than 50K scanned driver licenses (front+back) and toll notices exposed in a misconfigured S3 bucket. Most likely – part of NSW RMS infrastructure (Road and Maritime, New South Wales, Australia). Secured now. No official response though. Thanks to @troyhunt for assistance. pic.twitter.com/FRTQ5GEEJE
— Bob Diachenko (@MayhemDayOne) August 26, 2020
The New South Wales Privacy Commissioner also said that the data appeared to be linked to a private business firm and that the breach is not associated with a NSW Government agency or any NSW Government system or process. The Privacy Commissioner also clarified that the unnamed private business had no links with the New South Wales government.
Commenting on the massive leak of over 50,000 driving licences, Niamh Muldoon, Senior Director of Trust and Security at OneLogin, said this is a significant breach because, on top of having personally identifiable information leaked, cybercriminals can also identify a natural person through the exposed image files.
“Affected individuals will need to be vigilant, not only checking their bank accounts regularly but all online accounts for unusual activity. A key step for all those affected to take is to enable account monitoring/alerting, along with setting thresholds associated with their monetary online accounts.
“It is not the first time that a misconfiguration has led to damaging consequences such as an accidental data breach. It demonstrates once again, the importance of Enterprise Security programs that incorporates security into processes such as change management, technologies including secure configurations, as well as end-user awareness,” she added.
Boris Cipot, senior security engineer at Synopsys, said that the ideal way to protect cloud storage servers is for cloud service providers to take charge and stop misconfigurations that allow public access to data.
Cloud storage providers can help users in the setup process and guide them through the settings, but this will make cloud storage expensive and unaffordable to many. Therefore, cloud users need to be more alert on how they use the service, they need to recruit a consultant to set up the infrastructure so that it conforms to the use case, and they need to create plans for resilience, response and recovery in every part of this infrastructure.
“This is the only way they can make attempts at hacking so difficult that it dissuades the attacker from even trying,” he added.