Detected by the British company Fidus Information Security and revealed by TechCrunch on December 9th, 2019, more than 752,000 copies of US birth certificate applications have been exposed on the Internet. The leak, involves an American company specializing in the management of copies of civil acts online.
Names, first names, dates of birth, addresses, emails, phone numbers ... but also historical requests, previous addresses, names of family members and especially the reason for the request was freely accessible via simple easy-to-guess URLs and not protected by any password. The leak would affect peoples residing in California, New York, and Texas, for claims made in 2017.
Fidus and TechCrunch sent several emails before publication to warn of the exposed data, but we received only automated emails and no action was taken. We are not naming the company. When reached, Amazon would not intervene but said it would inform the customer.
DATA DOWNLOADABLE BY ANY INTERNET USER
The company responsible for the leak, which offers service on the internet allowing US citizens to obtain a copy of their birth and death certificates from state governments, would have stored personal information in Amazon Web Services (AWS).
Theses 752,000 copies of birth certificate copies have been accessible without a password and were downloadable in a single click. It also listed 90,400 death certificate applications, but these were neither accessible nor downloadable. Cybersecurity experts warned the information could be used by criminals to conduct identity theft and fraud.
The data compromised here will ultimately end up on the dark web and in the hands of bad actors who can then use it to impersonate others or to create synthetic identities by pairing stolen Social Security numbers with the names, dates of birth and other compromised personal information.