A legal advisory company has inadvertently exposed data on 15,000 cases involving people killed or injured in traffic accidents after a cloud misconfiguration.
Researchers at reviews site WizCase found the AWS S3 bucket containing 55,000 documents wide open. It required no authorization to view the 20GB trove, meaning anyone with the URL could have accessed highly sensitive personal information, the firm claimed.
WizCase traced the data back to İnova Yönetim, a Turkish actuarial consultancy which analyzes data to help calculate insurance risk and premiums.
After contacting the firm on October 1 2020, and AWS five days later, WizCase noted the server was secured on October 12, although no response was received from the consultancy.
For each of the 15,000 court cases, the researchers found personally identifiable information (PII) on the victim including name, national ID number, marital status and birth date, alongside insurance and accident details.
Some documents exposed even more details of witnesses, complainants and other parties, including detailed information on accidents, vehicle registration numbers, breathalyzer test results, descriptions of injuries and much more.
The data apparently related to cases between the start of 2018 and the end of summer 2020.
Those exposed in the privacy snafu may be at risk of scammers following up with highly convincing phishing emails or phone calls (vishing) designed to trick them into handing over more personal and financial information.
“With some social engineering, bad actors or criminals could contact a [mobile] operator, masquerading as the victim, and verify all kinds of verification questions operators would ask to clone a SIM card,” WizCase argued.
“After having access to victims’ phone calls and SMS messages, bad actors could then try to do the same operation with clients’ insurance and bank.”
Cyber-criminals could also use the data to try and bribe officials and blackmail or threaten individuals, it claimed.