Over 80 US Municipalities data are exposed due to Misconfigured Amazon S3

A team of Cybersecurity researchers at Wizcase found major data exposure of Over 80 US Municipalities due to the Misconfigured Amazon S3 Bucket.

This happened because all of them using the same web service provider aimed at municipalities. This breach compromised citizens’ physical addresses, phone numbers, IDs, tax documents, and more. 

Due to the large number and different types of unique documents, it is difficult to estimate the number of persons exposed to this Breach. It was not necessary to have a password or login credentials to access this information, and the data was unencrypted.

More than a hundred American cities seemed to use the same product, mapsonline.net, provided by an American firm called PeopleGIS. Data from these municipalities was stored in multiple incorrectly configured Amazon S3 buckets that shared naming conventions similar to MapsOnline.  For this reason, we believe those cities use the same software solution.

PeopleGIS is a Massachusetts-based company specializing in information management software. Many city municipalities in the state of Massachusetts and a few in surrounding states like Connecticut and New Hampshire use their software and platforms to manage a variety of data.

This means there are 3 options:

  • PeopleGIS created and handed over the buckets to their customers (all municipalities), and some of them made sure these were properly configured;
  • The buckets were created and configured by different employees at PeopleGIS, and there were no clear guidelines regarding the configuration of these buckets;
  • The Municipalities created the buckets themselves, with PeopleGIS guidelines about the naming format but without any guidelines regarding the configuration, which would explain the difference between the municipalities whose employees knew about it or not.

More than 80 incorrectly configured Amazon S3 buckets containing data on these municipalities, totaling more than 1,000 GB of data and more than 1.6 million files. The type of files exposed varied by municipality. In This Breach, there was no way to provide a clear estimate of the number of people left vulnerable in this breach.

The type of documents exposed includes business licenses, residential records such as deeds, tax information, and resumes for applicants to government jobs. The information exposed in the breach include:

  • Email address
  • Physical address
  • Phone number
  • Drivers license number
  • Real estate tax information
  • Photographs of individuals (on drivers licenses)
  • Photographs of properties
  • Building and city plans

The breach could lead to massive fraud and theft from citizens of those municipalities. The highly sensitive nature of the data contained in the local government database, from telephone numbers to business licenses to tax records, is highly susceptible to exploitation by threat actors.