Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

UK Consultancies Leak Data on Thousands of Workers

Thousands of UK business professionals have had their personal details exposed online via a leaky Amazon Web Services bucket, after researchers discovered files belonging to multiple consulting firms.

The misconfigured S3 resource is thought to have been left publicly viewable with no authentication by a London-based company known as CHS Consulting, according to vpnMentor.

However, as the firm has no website the researchers have been unable to confirm ownership of the database, labelled “CHS.”

What they do know is that it contained files from the HR departments of multiple UK consulting firms including Eximius Consultants, Dynamic Partners and IQ Consulting. Most of the data is from 2014-15 although records go back to 2011.

It included passport scans, tax documents, criminal record information and background checks, HMRC-related paperwork, emails and private messages as well as a range of PII including names, email and home addresses, dates of birth and phone numbers.

“Had criminal hackers discovered this database, it would have been a goldmine for illicit activities and fraud, with potentially devastating results for those exposed,” argued vpnMentor.

“If you’re a UK-based consultant or consulting firm and are concerned about this breach, contact the CERT-UK to understand what steps are being taken to keep your data safe and ensure it has not been leaked.”

The researchers contacted the CERT-UK on December 10, a day after discovering the leak, and followed up with AWS a week later. The cloud giant took action a day later on December 19 to secure the database.

This is just the latest of several incidents in which large cloud databases containing highly sensitive personal information have been discovered by the research team.

Other companies found wanting include LightInTheBox, Yves Rocher and Autoclerk. In one incident, the names, phone numbers and financial information of approximately 20 million Ecuadoreans, virtually the entire population, were exposed online.

What’s Hot on Infosecurity Magazine?