Some 750,000 birth certificates have been found expose online in a yet another story of a company that didn’t secure its cloud storage, but this story has a twist: The provider was a third-party supplier of data to the U.S. government.

The unnamed company, detected by Fidus Information Security Ltd. and first reported today by TechCrunch, exposed the birth certificate data by not setting the Amazon Web Services cloud storage it was using to private.

Worse still, despite efforts to inform the company, the exposed cloud storage is being updated daily with about 9,000 records that involve personally identifiable information or PII.

“Leaving a database publicly accessible without any security barriers in place is one of the most common yet easily preventable causes of data leaks and breaches,” Chris DeRamus, chief technology officer of cybersecurity firm DivvyCloud Corp., told SiliconANGLE. “Although any evidence of misuse has not been confirmed, the sensitive PII that was exposed is highly valuable to bad actors, who harvest this kind of data to sell on dark web marketplaces or to launch future attacks against the impacted individuals.”

Anurag Kahol, chief technology officer of cloud access security broker Bitglass Inc., noted that leaving a database publicly accessible without a password is a common error, one that involved companies such as Tuft & Needle and TrueDialog this year.

“While [the cloud storage provider] does provide some native security and compliance functionality, the responsibility is on the enterprise to secure access to the data that is being stored within the platform,” he said. “Organizations should prevent data leakage by equipping themselves with tools such as data loss prevention, user and entity behavior analytics, step-up multifactor authentication and encryption of data at rest in order to ensure all customer information is safe.”

Unfortunately, added Vinay Sridhara, CTO of artificial intelligence security firm Balbix Inc., bad actors could have already used the exposed data to launch highly targeted phishing attacks or make money by selling the information on the dark web, a shady part of the internet accessible with special software.

James Carder, chief security officer and vice president of LogRhythm Labs, told SiliconANGLE that the breach “follows the recent trend of data being exposed in misconfigured, unprotected, unmonitored and globally accessible cloud storage buckets.

“In recent years, some of our largest breaches have involved the use of these buckets to grab the sensitive data of hundreds and thousands of companies or individuals at once,” Carder said. “And unfortunately, this is just another example of the classic story of poor IT hygiene and a lack of proper security controls.”

Photo: Wikimedia Commons