Another day, another company recklessly exposed their database for everyone with the link can see online. This time, it is the Indian productivity tool, Formget.
Based in Bhopal, India, the company which allows users to create forms and runs email marketing campaigns on behalf of their clients, has exposed millions of documents uploaded by their users and their clients. Formget allows more than 43,000 users of the platform to create online forms that they can use to ask their partners/members to submit documents, upload resumes, confirm proof of address, and even submit sensitive information like credit card number, among others.
A tech researcher who refused to be named found Formget’s exposed Amazon S3 storage bucket and contacted media outlets to reach the attention of the company in hopes that the exposed databased will be secured.
By Wednesday, Formget has already pulled the bucket out and is now secured. The said bucket includes data enclosed in folders for each year starting 2013. In each folder, the data was also further organized with subfolders for every month and is filled with a massive amount of user-uploaded data.
What was exposed?
The user-uploaded data that is included in the database revealed sensitive information such as scans of several passports — including U.S. passports — and other scanned documents, like paychecks, Social Security numbers, driver’s licenses, and national identity cards. Furthermore, the database also includes a letter from the Office of Veterans Affairs certifying former veterans of service-connected disability compensation, including the amounts paid.
Details of obtained loans and mortgages.
These mortgage information contain amounts, interest rates, and histories, as well as bank account statements, gas bills, military discharge from active duty forms and other similar proof of residency, were also exposed in the database.
Analysts also found internal corporate documents, some of them labeled as “confidential,” as well as scanned copies of shipping documents including the phone numbers and addresses of the receivers.
Aside from all of these data, the leaked database also includes copies of resume that exposed the data of applicants, including their name, postal address, educational background, and working experience. They also include some invoices from Google, Zoom, and even from Formget itself, for billed services — in some cases including the name, address and partial credit card numbers.
Other leaked information found in the database is several hotel and airline bookings and reservation receipts.
This incident is not uncommon
This kind of data breach, where corporations recklessly left their database open unintended, is something that we see almost every day. Back in May, more than 885 million data was left unsecured – not even with simple encryption mechanisms like passwords – from insurance giant First American.
In the First American data breach, information like bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts Social Security numbers and photos of driver’s licenses, all of which dated back to 2003 were left open unintentionally by the company, risking the security and privacy of their clients and members.
But one may contend that these kinds of data breaches are different from those caused by threat actors proactively gaining unauthorized access to a system. However, while data breaches caused by a hacker could be much dangerous than those that were unintentional, the latter is still a data breach that risked the data of many people.
Nonetheless, experts argue that the tech world – especially cloud computing engineers – has worked hard to prevent such incident from happening. One senior cloud security engineer said that most companies have protection mechanisms owned by default.
“In the case of Amazon, the default settings on an S3 bucket are private — no direct unauthorized internet access is allowed,” the engineer said. “When there are these reports in the news of massive leaks, it’s getting harder to point the blame at the cloud provider. On any installation in the past several years, developers have to go out of their way to expose these records.”
“Once an organization leaks data in a grossly negligent way like this, they have little to blame but themselves,” the engineer said.
And that may have made so much sense. A recent study reveals that “employee mistakes” is the most frequent reasons for unintended data breaches. However, whatever the reason might be, as mentioned earlier, a data breach is still a data breach.