Shoddy OpSec traced back to single third-party contractor

There’s been no shortage of reports relating to misconfigured Amazon S3 buckets over recent months, and now Australia has found itself in the spotlight after it was revealed that the details of nearly 50,000 public sector employees have been exposed.

According to a report in Australian tech journal iTnews, 48,270 personal records of employees of several government agencies, banks, and a utility were left openly accessible on an S3 cloud storage server.

Insurer AMP was the most impacted, with 25,000 staff records exposed, followed by energy company UGL, which saw 17,000 staff records left open for anyone to access. “Several thousand government employee details were also leaked,” said iTnews.

The records – which included full names, passwords, IDs, phone numbers, email addresses, and some credit card numbers – were discovered by a Polish security researcher who conducted a search for open Amazon S3 buckets with ‘dev’, ‘stage’, or ‘prod’ in the domain name.

The leak, according to iTnews, was traced back to a single third-party contractor, who has since resolved the issue.

News of the exposed S3 bucket comes as the Office of the Australian Information Commissioner (OAIC) continues to focus on strengthening the country’s cybersecurity policy.

After reporting a 7% increase in voluntary breach notifications in fiscal 2016, the agency said data management in both the public and private sectors will “significantly strengthen” next year with the implementation of the Australian Public Service Privacy Governance Code and the Notifiable Data Breaches scheme.