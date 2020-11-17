Infosecurity Group Websites
Latest
News

Over 80,000 ID Cards and Fingerprint Scans Exposed in Cloud Leak

A US-based used electronics retailer has exposed over 2.6 million files, including ID cards and biometric images, after a misconfigured AWS S3 bucket was discovered.

Researchers at Website Planet traced the instance back to California-based TronicsXchange, previously trading as GreenElectronicsExchange (GEEx).

A random scan for server vulnerabilities led to the discovery of the wide open S3 bucket on October 12 2020. The company itself appeared to be shuttered, with an invalid contact email and its website offline, but Website Planet contacted AWS two days later and the issue was eventually remediated.

Of the millions of files found in the database, perhaps the most damaging for customers was the 80,000 or so images of personal identification cards such as driver’s licenses, and 10,000 fingerprint scans.

Each driver’s license photo exposes multiple pieces of information about that individual, including license number, full name, birthdate, home address, gender, hair and eye color, height and weight, and a photo of the individual, among other things.

According to the report, seen exclusively by Infosecurity, the leaked data mostly relates to Californians who visited TronicsXchange stores in 2012-15.

It’s unclear if any malicious actors found the exposed data store before Website Planet, but doing so is increasingly easy thanks to automated tools. The researchers warned that the personal data could have been used to apply for credit cards or open bank accounts.

“TronicsXchange’s misconfigured bucket contained an extensive set of personal information including personal identifiable information that can be harnessed by nefarious hackers to cause severe financial, social and reputational damage to those affected by the leak,” they argued.

“Furthermore, given the fact that government-issue documents were exposed, nefarious users could potentially conduct identity fraud across different platforms and institutions. Users’ true likenesses, copies of official documentation and contact details could be harnessed to conduct identity theft.”

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Scammers Expose Facebook Data Haul of 13 Million Records

2
News

Hotel Booking Firm Leaks Data on Millions of Guests

3
News

Crypto Firm Offers $200,000 Bug Bounty to Hacker Who Stole $2m

4
News

Russian and North Korean Groups Still Targeting #COVID19 Vaccine Firms

5
News

Healthcare Data Breaches to Triple in 2021

6
News

Cyber-Criminal Fined $300,000 for Pipeline Attacks

1
News

Employees Have Access to an Average of 10 Million Files

2
Blog

Solving the Global Cybersecurity Skills Gap in Two Simple Steps

3
News

#ISSE2020: Look to Decentralized (Rather than Legacy) Identity Approvals

4
News

#ISC2Congress: Modern Security Pros Are Much More than Technologists, Says Bruce Schneier

5
Interview

Interview: Yves Le Roux, (ISC)2 Harold F. Tipton Lifetime Achievement Award Winner

6
News

Over 80,000 ID Cards and Fingerprint Scans Exposed in Cloud Leak

1
Webinar

Putting People First: Overcoming Human Error in Email Security

2
Webinar

Risk-Based Security for Your Organization: What You Need to Know

3
Webinar

Behind the Scenes of a Live DDoS and BOT Attack: Launch and Mitigation

4
Webinar

Establishing a Successful DevSecOps Program: Lessons Learned

5
Webinar

Enabling Incident Response in a Remote Working Landscape

6
Webinar

Achieving Compliance with the Cybersecurity Maturity Model Certification (CMMC)

1
News Feature

Top Ten: Things Learned from the (ISC)2 Workforce Study

2
Blog

Five Emerging Cyber-Threats to Watch Out for in 2021

3
Webinar

Enabling Incident Response in a Remote Working Landscape

4
Opinion

Defend Yourself Against Dark Data

5
Webinar

Behind the Scenes of a Live DDoS and BOT Attack: Launch and Mitigation

6
Podcast

Into Security Podcast – Episode 20