Los Angeles Health Referral Company Left 3.2 Million User Records Open to Public Eyes

The cyber risk team from UpGuard have found an unsecured AWS S3 bucket exposed to the Internet which contains more than 3.2 Million records. The records from a non-profit organization serving LA County named “211 LA County”. The records also have credentials of 211 system operators and email address of their contacts. There are more than 200,000 rows of detailed notes.

The call notes have personally identifiable information of people such as their reported abusers. There are also graphic descriptions of elder abuse, child abuse and suicidal distress, raising serious, large-scale privacy concerns. The information stored in the S3 bucket is located in Subdomain “LA County” which is said to be misconfigured and anonymously accessible. “Though some of the files in the bucket were not publicly downloadable, those that were included Postgres database backups and CSV exports of that data, with hundreds of thousands of rows of sensitive personal information,” the UpGuard post stated.

“When you see an organization expose such sensitive data, it should serve as a reminder that companies must maintain an understanding of whether the service they use is risk-appropriate for the type of data they store there,” Bisbee said.

UpGuard has confirmed the bucket is no longer publicly accessible after they have notified the 211 LA County.

“Amazon S3 access rules can be set for both the bucket as a whole and for the files within it. In the case of the “lacounty” bucket, permission settings allowed anyone to list the contents; some of the files inside, however, had additional rules preventing public users from downloading them,” the UpGuard post said.

More than Three-Quarters of companies have critical cloud security misconfigurations and every reported data leak is a lesson for the companies to assign greater emphasis to their security team.

Let us know your thoughts.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients