SECURITY
SECURITY
SECURITY
Tens of thousands of medical school records found on misconfigured cloud storage
A U.S. medical school has been found to be exposing tens of thousands of student records online in the latest case of misconfigured cloud storage.
Discovered and detailed today by Noam Rotem and Ran Locar at vpnMentor, the breach involved data that belonged to Phlebotomy Training Specialists. Phlebotomy is the process of using a needle to take blood for a vein, with the company pitching itself as focusing on giving students real-world knowledge that can’t be gained from a book alone.
The student data was found on a single, open Amazon Web Services Inc. S3 storage bucket. The 157 gigabytes of student data covered an estimated 27,000 to 50,000 students and included personally identifiable information, national ID cards, academic records and more.
The vpnMentor researchers discovered the data on Sept. 4, then contacted the company three times, Sept. 7, 8 and 15, with no response. They then followed up by contacting Amazon on Sept. 15, then USA-CERT on Sept. 20. The data was taken offline between Oct. 8-11.
As with all such data exposures, the records being open to all sundry exposes the school’s students to identity theft, phishing and various forms of fraud.
“Educational institutions entrusted with the collection and storage of sensitive, personally identifiable information must be proactive in their approach to security posture management,” Pravin Rasiah, vice president of product at cyber asset management company CloudSphere, told SiliconANGLE. “Leaving troves of data exposed without even basic password protection is an all-too-common example of misconfiguration in cloud environments.”
Although in this instance ethical security researchers discovered the leak, Rasiah noted that cybercriminals are constantly searching for exactly this type of exposure to harvest and exploit sensitive data.
“The healthcare and education industries continue to be a top target for cybercriminals who find new ways to obtain the endless sensitive patient and student information due to the organization’s requirements to store this data,” explained Troy Gill, senior manager of threat intelligence at Zix Corp.’s AppRiver. “This is a great reminder for organizations to examine their security solutions and evaluate their current authentication practices to ensure they are building the safest habits to protect themselves and sensitive data that they store from bad actors.”
Photo: Phlebotomy Training Specialists
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
