LA County Non-Profit Leaks 3.5 Million PII Via Misconfigured Amazon S3

Security researchers discovered LA-based non-profit organization Los Angeles County 211 accidentally exposed approximately 3.5 million records, including personally identifiable information (PII) and call notes logged between 2010 and 2016. A misconfigured Amazon AWS S3 storage bucket leaked downloadable databases containing rows of information concerning their employees, informants, and persons in need as the settings were programmed to be public and anonymously accessible.

[Read: Serverless Applications: What they mean in DevOps]

Researchers found the files stored in an Amazon S3 bucket subdomain labeled “lacounty.” And while not all the stored files were downloadable, around 200,000 rows of CSV exports and Postgres database backups of data were exposed. Readily available information included 211 system employees' access credentials, contacts’ email addresses, Social Security numbers, and the organization's registered sources. Researchers noted a higher concern for the call notes because of detailed reports and discussions with abuse victims and patients, including the problems reported, PII of people informing them of the concerns, the specific conditions of the people in need of assistance, and the names of the abusers for specific instances.

[Related: A misconfigured Amazon S3 exposed almost 50 thousand PII in Australia]

According to their website, LA County 211 “is the hub for community members and community organizations looking for all types of health, human, and social services in Los Angeles County.” The researchers noted that the organization assists up to 500,000 individuals annually. The bucket leak was seen as a “gold mine,” and an ideal target for misuse and exploitation due to the sensitivity of information contained and because the organization stored its entire operation in a single server.

[Read: Encrypting Amazon Storage: Not so simple]

Amazon S3 is an accessible cloud storage service where enterprises can store, retrieve, and update data from websites and mobile apps. This incident is not the first time sensitive information was exposed due to misconfigured permissions; 2017 witnessed a number of data breaches due to unprotected AWS servers. Fortunately, no data breach was reported prior to publishing. Researchers notified the organization of the situation as soon as it was discovered and have confirmed that the bucket is no longer publicly accessible.

Cloud storage features allow for greater ease of use and access to information wherever you go. Here are a few steps to secure your data:

  • Modify and verify your privacy configuration settings and permissions. Limit those who have access to all databases to create a layer of protection to sensitive information.
  • Confirm the cloud security infrastructure of your cloud buckets and keys. Security systems for cloud storage should be able to detect and prevent network attacks, provide virtual patches, and simplify security management.

Trend Micro Deep Security as a Service is a dedicated protection system optimized for AWS, Azure, and VMware to reduce the strain on your business’ IT department and immediately secure your servers without the need for installations or configurations. The latest security innovations allow for an agile development process, implementing new upgrades without the downtime, and connecting instantly to the cloud and data center resources for proactive detection of threats, network intrusion prevention, and security set up and management. Choose the cloud security appropriate for your needs.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.