UPDATED 22:49 EDT / NOVEMBER 03 2021

SECURITY

Tens of thousands of medical school records found on misconfigured cloud storage

A U.S. medical school has been found to be exposing tens of thousands of student records online in the latest case of misconfigured cloud storage.

Discovered and detailed today by Noam Rotem and Ran Locar at vpnMentor, the breach involved data that belonged to Phlebotomy Training Specialists. Phlebotomy is the process of using a needle to take blood for a vein, with the company pitching itself as focusing on giving students real-world knowledge that can’t be gained from a book alone.

The student data was found on a single, open Amazon Web Services Inc. S3 storage bucket. The 157 gigabytes of student data covered an estimated 27,000 to 50,000 students and included personally identifiable information, national ID cards, academic records and more.

The vpnMentor researchers discovered the data on Sept. 4, then contacted the company three times, Sept. 7, 8 and 15, with no response. They then followed up by contacting Amazon on Sept. 15, then USA-CERT on Sept. 20. The data was taken offline between Oct. 8-11.

As with all such data exposures, the records being open to all sundry exposes the school’s students to identity theft, phishing and various forms of fraud.

“Educational institutions entrusted with the collection and storage of sensitive, personally identifiable information must be proactive in their approach to security posture management,” Pravin Rasiah, vice president of product at cyber asset management company CloudSphere, told SiliconANGLE. “Leaving troves of data exposed without even basic password protection is an all-too-common example of misconfiguration in cloud environments.”

Although in this instance ethical security researchers discovered the leak, Rasiah noted that cybercriminals are constantly searching for exactly this type of exposure to harvest and exploit sensitive data.

“The healthcare and education industries continue to be a top target for cybercriminals who find new ways to obtain the endless sensitive patient and student information due to the organization’s requirements to store this data,” explained Troy Gill, senior manager of threat intelligence at Zix Corp.’s AppRiver. “This is a great reminder for organizations to examine their security solutions and evaluate their current authentication practices to ensure they are building the safest habits to protect themselves and sensitive data that they store from bad actors.”

Photo: Phlebotomy Training Specialists

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU