Blog | comforte

Over 750,000 Applications for Copies of US Birth Certificates Left Exposed Online

Written by Thomas Stoesser | Dec 13, 2019

Quick question, were you born in the United States? Have you recently applied for a new copy of your birth certificate? Well, you could be one of the unfortunate people whose birth certificate application was left exposed online.

It has been reported that more than 750,000 applications for copies of U.S. birth certificates have been left exposed without any access control in a misconfigured cloud server within an Amazon Web Services (AWS) storage bucket.

It is understood that a British security company discovered the data container with no password protection leaving the door wide open for cybercriminals to steal the information for fraudulent purposes. What’s worrying is the cache is seemingly being updated on a weekly basis with more applications being added.

The data was being collated by a third-party partner of the U.S. government which provides a service to U.S. citizens who wish to have copies of their birth and death certificates from state governments.

The company at fault has not been named as it is believed the critical data is still online and currently exposed. The leak exposed traditional sensitive information like names, date of birth, home addresses, email addresses and phone numbers, however, more historical information has also been revealed. For example, the server also contained past names of family members, old addresses linked to the applicant, and even the reason as to why the individual was seeking this information, which could be as trivial as applying for a new passport or even to research their family’s history.

Sadly, this is not the first time an unprotected AWS server has resulted in a high profile data leak as in June 2019, Netflix, Ford, and many other brands all had data exposed in an open Amazon AWS bucket which amounted to 1TB worth of information being left unprotected.

With these incidents frequently occurring, it begs the question as to why these online cloud servers are being left unprotected. Identity theft and fraud is widespread, and these leaks do not give people the confidence that companies, governments, and other organizations are doing enough to secure their critical data.

Service providers and processors need to wake up to the reality that data needs to be protected in a data-centric fashion to eliminate the risks of having a lapse or lack of due diligence.  Adopting a data-centric protection model ensures that data is protected anywhere it is stored, moved, shared, or used and is the only true firebreak that can quench identity theft.