A US-based used electronics retailer has exposed over 2.6 million files, including ID cards and biometric images, after a misconfigured AWS S3 bucket was discovered.
Researchers at Website Planet traced the instance back to California-based TronicsXchange, previously trading as GreenElectronicsExchange (GEEx).
A random scan for server vulnerabilities led to the discovery of the wide open S3 bucket on October 12 2020. The company itself appeared to be shuttered, with an invalid contact email and its website offline, but Website Planet contacted AWS two days later and the issue was eventually remediated.
Of the millions of files found in the database, perhaps the most damaging for customers was the 80,000 or so images of personal identification cards such as driver’s licenses, and 10,000 fingerprint scans.
Each driver’s license photo exposes multiple pieces of information about that individual, including license number, full name, birthdate, home address, gender, hair and eye color, height and weight, and a photo of the individual, among other things.
According to the report, seen exclusively by Infosecurity, the leaked data mostly relates to Californians who visited TronicsXchange stores in 2012-15.
It’s unclear if any malicious actors found the exposed data store before Website Planet, but doing so is increasingly easy thanks to automated tools. The researchers warned that the personal data could have been used to apply for credit cards or open bank accounts.
“TronicsXchange’s misconfigured bucket contained an extensive set of personal information including personal identifiable information that can be harnessed by nefarious hackers to cause severe financial, social and reputational damage to those affected by the leak,” they argued.
“Furthermore, given the fact that government-issue documents were exposed, nefarious users could potentially conduct identity fraud across different platforms and institutions. Users’ true likenesses, copies of official documentation and contact details could be harnessed to conduct identity theft.”