An unsecured and unencrypted Amazon Simple Storage Service (S3) bucket was found leaking 36,077 records belonging to inmates of correctional facilities in several U.S. states. The leak, which was discovered by vpnMentor, exposed personally identifiable information (PII), prescription records, and details of the inmate’s daily activities. The leaky repository belongs to JailCore, a cloud-based application utilized in correctional facility management.
The researchers first discovered the leak through a web mapping project, where they scanned ports to identified vulnerable systems. The findings were then reported to JailCore, and the bucket was closed some days after.
The exposed data included the inmates’ PII, such as their full names, date of birth, booking number, mugshot, and cell location. The researchers noted that some of the information were already publicly accessible even before the leak.
The inmates’ prescription records were also exposed, showing the name of the medication, dosage amount, start and end date, prescription quantity and remaining refills, time and date administered, if the inmate took the prescription or refused, and even the full name. Some cases had the signature of correctional officers who administered these drugs.
Details on the inmates’ activities involving the restroom, shower, meals, visits, recreation, packages, and cleaning were also revealed. Other records comprise of headcount reports and officer audit logs.
A JailCore representative claimed that most of the leaked records were for fake inmates, and were only created to test the application’s functionality. The representative admitted that a few of the leaked files did contain data on actual inmates, but said that these records did not reveal sensitive information.
Securing cloud storage services
Unsecured buckets make it easy for threat actors to steal data and obstruct operations. Although most cloud storage services have built-in security features, the configuration of these and the protection of the stored data ultimately lies with the user. Fortunately, there are several actionable steps that users can take to bolster the security of cloud storage systems.
First, users must deliberately learn and configure security settings. Many people mistakenly take the security of cloud services for granted, considering the whole system as “plug-and-play.” Cloud builders and IT security teams should study these security settings to ensure protection.
Users should also change default passwords and regularly update them. Cybercriminals have access to default and commonly used passwords, and actively scan for vulnerabilities to identify which systems they can penetrate. Using a strong password is a small but vital step against threats.