Data of three million elderly citizens exposed in cloud security oversight

The personal data of more than three million US senior citizens was exposed in a security oversight by SeniorAdvisor, a review website.

Researchers at security firm WizCase discovered that a misconfigured Amazon S3 bucket meant that data including users’ surnames, emails, and phone numbers. The data belonged to people marked as ‘leads’, or potential customers.

The WizCase team said they also found around 2,000 ‘scrubbed’ reviews, from which the user’s sensitive information had been wiped or redacted. However, these reviews had a lead ID that could be used to trace the review back to post’s author.

As the researchers point out, the greatest danger from this breach is the fact that senior citizens are particularly vulnerable to fraud.

“This can include phishing emails that trick the user into inputting sensitive data into malicious websites, adding the user to a robodialer list, or emailing or calling a user masquerading as a government or bank official, to trick them into providing financial information,” says the company in a blog post detailing the discovery.

Daniel Brown, cybersecurity team leader at WizCase, says the disclosure process did not go smoothly.

“We tried to contact the company on June 9, and again on June 28 with the help of AWS security,” he tells The Daily Swig.

“Unfortunately, we did not receive a reply until SeniorAdvisor were contacted by a journalist, per our request, on August 5th. This is when we assume the breach was secured. We have no way of knowing if they’ve alerted the people affected.”

A spokesperson for SeniorAdvisor did not confirm whether or not the company had contacted those affected, but did confirm that the issue had been remedied.

“The data in the referenced file was five to fifteen years old and only contained information that can be found on the open web,” the spokesperson told The Daily Swig. “The bucket is secure.”

NOTE:: This is article is copyright by portswigger and we are used it for education or information purposes only.

Click Here to visit the official store of PortSwigger in Pakistan