Millions of Senior Citizens' Personal Data Exposed by Misconfiguration

Millions of senior citizens in North America have had their personal information compromised following a breach at senior care review website SeniorAdvisor, according to WizCase.

The researchers, led by Ata Hakcil, discovered a misconfigured Amazon S3 bucket owned by Senior Advisor, a company that displays consumer ratings and reviews for senior care services across the US and Canada.

The misconfigured bucket left over the personal data of more than three million people, labeled “leads,” exposed. This included names, emails, phone numbers and dates contacted. In total, it contained more than one million files and 182GB of data, none of which was encrypted and did not require a password or login credentials to access.

WizCase believes the files are from 2002-2013 based on the contact dates, although the files were timestamped in 2017.

Additionally, the team found around 2000 “scrubbed” reviews in the misconfigured bucket, in which the user’s sensitive information was wiped or redacted. However, the scrubbed reviews contained a lead ID that would enable a malicious actor to trace it back to the person who wrote it as the reviews and lead data were in the same exposed database.

WizCase added that it reached out to SeniorAdvisor about its findings, who confirmed the breach had been secured. Nevertheless, the exposed data could be used to launch scams and phishing attempts, which is especially worrying in this case, given that senior citizens are at higher risk of online fraud than the rest of the population.

 “The greatest danger of this breach stems from the specific group of people left vulnerable. SeniorAdvisor is targeted toward senior citizens in or near retirement. In a 2018-2019 report, the FTC noted that people who filed a fraud complaint in the ages of 60-69 lost $600 per scam on average. The amount rose as the age group was older, culminating in $1700 on average per scam for people in the ages of 80-89,” outlined WizCase.

What’s Hot on Infosecurity Magazine?