A significant security lapse has resulted in the exposure of nearly 1 million records from a German lost and found software provider, potentially endangering traveler data across various airports in North America and Europe. Cybersecurity expert discovered the vulnerability and reported it to Website Planet, leading to immediate remedial action.
Discovery of Unsecured Databases
The researcher identified an unprotected and openly accessible database containing 820,750 records linked to Lost and Found Software, a company specializing in tracking and returning lost property for airports. Through further analysis, he uncovered a total of 14 databases, 10 of which were publicly available, amounting to 122GB of data.
Among the exposed information were images and documents related to lost belongings, including medical equipment, electronic devices, wallets, and luggage. More concerningly, high-resolution images of passports, driver’s licenses, and employment records were found, raising the specter of potential identity theft and fraud.
Security Concerns and Potential Risks
The breach poses significant risks due to the exposure of personal details such as names, home addresses, phone numbers, and financial transaction data. Malicious actors could exploit this information for identity fraud, produce counterfeit documents, or execute scams targeting travelers who have lost expensive items.
The redictable database naming conventions increase cybersecurity risks. Cybercriminals could use similar tactics to locate additional unsecured databases, reinforcing the need for companies to adopt unique, non-obvious database naming structures to mitigate security threats.
Company Response and Corrective Actions
After receiving a responsible disclosure report, Lost and Found Software acted swiftly to restrict public access to all identified databases within hours. The company attributed the security lapse to misconfigured Amazon S3 bucket policies that were overridden by access control settings. According to their security team, only specific storage buckets were affected, rather than the company’s entire internal database.
A day later, Lost and Found Software confirmed the issue, stating: “We appreciate your security research and have already taken steps to restrict public access to the data. We are now working on removing access to the specific files that were previously available.” However, the duration of the database’s exposure and whether unauthorized parties accessed the information remains unknown.
Key Takeaways and Security Best Practices
This event underscores the importance of robust data security measures for businesses handling sensitive customer information. To mitigate future risks, organizations should implement the following safeguards:
- Strong authentication mechanisms to restrict access to sensitive data.
- Data retention policies that ensure private information is only stored for a necessary period.
- Routine security assessments and penetration testing to detect and fix vulnerabilities.
- Encryption of highly sensitive records, such as identification documents, to prevent unauthorized access.
Final Thoughts
This data exposure serves as a stark warning about the dangers of inadequate security protocols. While Lost and Found Software took immediate action to remedy the situation, the incident highlights vulnerabilities that could have had severe consequences for impacted travelers. Companies responsible for safeguarding customer data must prioritize cybersecurity measures to prevent future breaches and unauthorized access.
The ethical researcher, stated that he did not download or misuse any data, only capturing limited screenshots for verification. His findings aim to promote stronger security measures and ensure organizations proactively protect customer information from emerging cyber threats.
