Cloud storage misconfiguration left sensitive data openly accessible

Insecure Amazon S3 bucket exposed personal data on 500,000 Ghanaian graduates

UPDATED Authorities in Ghana are investigating an apparent data breach that may have exposed the personal information of hundreds of thousands of citizens of the west African country.

Researchers at vpnMentor say they discovered a trove of unencrypted data tied to Ghana's National Service Secretariate (NSS) in a storage silo from Amazon Web Services (AWS).

NSS administers mandatory one-year public services programs that are compulsory for most Ghanaian graduates and involve thousands of young people working in sectors such as healthcare and education for 12 months as a form of national service.

Some of the three million files related to NSS's work and held on an AWS S3 bucket were password protected but many were not – an oversight that exposed data of an estimated 500,000-600,000 people from March 2018 to the end of 2021, vpnMentor said.

Cloud storage misconfiguration

The AWS S3 bucket itself was neither encrypted nor password protected. The instance was misconfigured, and password protection was applied inconsistently so that open versions of sensitive passwords-protected files were accessible in other directories, vpnMentor reports.

Information held on the cloud-based storage system included personal information, scans of ID cards and pictures as well as employment records. The same bucket also held employment notices payment receipts and internal correspondence files from the NSS.

Catch up on the latest data leak news and analysis

The exposed information potentially left thousands of Ghanaians at a greater risk of phishing, tax fraud and other forms of identity fraud.

Researchers from vpnMentor said that many of the documents contained the NSS logo and text directly related to the scheme.

The incident (along with suggested remediation advice) was reported both to NSS and Ghana’s Computer Emergency Response Team (GH-CERT).

The Daily Swig approached GH-CERT for comment on the incident. In response, GH-CERT confirmed the alleged breach was under investigation:

The report which you referred is under investigations with relevant bodies.

Consistent with operational procedures and best practices, the Cyber Security Authority cannot comment on matters under investigations [sic].

VpnMentor first discovered the alleged breach on September 29, notifying authorities on October 6 at the start of a somewhat protracted disclosure process.

In follow-up questions, The Daily Swig asked GH-CERT for confirmation that any exposed AWS S3 buckets had been rendered publicly inaccessible. There's been no word back as yet, but a representative of vpnMentor confirmed that the “bucket is secured and inaccessible for the public“.

This story was updated to add a comment from vpnMentor confirming that the bucket had been secured

YOU MAY ALSO LIKE New tool help you find open Amazon S3 buckets