HR company stalled in securing Amazon S3 bucket, despite repeated requests from The Daily Swig
More than 6,000 job applications, including scans of passports, identification cards, and visas, were publicly available for months after yet another company misconfigured its Amazon S3 cloud storage, The Daily Swig can reveal.
The company in question, which will remain anonymous due to persistent data security issues, is a global recruitment agency that helps jobseekers to find employment and businesses to fill their workforces.
Prospective applicants, therefore, must submit personal information online to begin the process – passport, visa, name, gender, date of birth, picture, all standard details that an agency needs to place someone in a job.
It was these documents, belonging predominately to citizens of Mexico, Latin America, South Africa, and Europe, that were left visible and publicly accessible through an easily searchable path to the company’s insecure S3 bucket, according to Bob Diachenko from Kromtech Security, who first discovered the issue.
“I went an extra mile and decided to upload my own ‘CV’ and ‘documents’ via agency's application page to see if these are reflected in the bucket,” Diachenko said in a blog post.
“Needless to say that my fake data immediately appeared in the cloud as the latest uploaded pdf-file for everyone to see.”
Diachenko, now an independent security researcher, works to make the internet safer by searching for vulnerabilities in databases and public-facing interfaces, and educating the affected companies on better security practices.
Insecure S3 buckets, typically caused by impending deadlines, are a commonly found issue, the result of which have caused numerous data breaches as businesses of all sizes struggle with migrating data to the cloud.
While fixing these problems is straightforward enough – just check out this post by Kromtech Security – companies still fail to grasp how misapplied access controls can equate to handing over client records to malicious actors, leading to public relations turmoil for the business at fault.
“I’ve been trying to notify them, but no response,” Diachenko told The Daily Swig, following his discovery.
Working with Diachenko, The Daily Swig contacted the company on June 11 to expedite the much-needed protection of the clients’ privacy – information that third parties could have gained access to, for purposes such as identity theft.
But the numerous phone calls, emails, and messages that The Daily Swig sent through social media in the days, and then weeks, that followed remained unanswered by the agency.
“This is crazy,” Diachenko said. “I’ve been trying to call them several times as well, but no luck. The bucket is still up – with my fake resume.”
On June 27, The Daily Swig finally managed to get hold of one of the company’s managers. Their response fell nothing short of hostile, which given the amount of times and ways we tried to solicit a response is, perhaps, understandable.
After persuading the manager to stay on the phone, that our intention was credible, and their problem should be a priority, they said: "We are now very busy. I really don't want to lie to you, it could be another two to three weeks, or a month. There is a person that deals with this [web security] but they are not in right now."
It appeared that the recruiting agency cared about placing the right people in the right jobs, but didn’t so much mind that lax security was putting their applicants’ personal information at serious risk of being compromised.
Either that or the small roster of employees at the company did not understand the technical problem – despite The Daily Swig’s efforts at explaining it.
Regardless of the reaction, on July 23, Diachenko noticed that the recruiting agency had secured the A3 bucket. The company did not inform him, nor the The Daily Swig, that it had done so.
The Daily Swig has reached out to the company for comment, now that the S3 bucket has been secured. But while the bucket is now restricted, some files, unfortunately, are still accessible.