‘Huge’ data leak exposes British consultancy firms and thousands of consultants

Leaky S3 buckets held sensitive information including passport scans, personal details and financial documents

Leaky servers exposed a wealth of personal and financial data held by British consultancy firms as well as thousands of professionals, ranging from expenses forms to personal names and addresses.

Thousands of sensitive files stored on an Amazon Web Services (AWS) S3 bucket had been exposed for an indeterminate amount of time after a database was found to be completely unsecured and unencrypted.

The compromised files related to the respective HR departments of a host of consultancy firms, as well as thousands of workers whose data was held by these departments. 

Most of the exposed data dates back to the 2014/15 financial year, with some files even going back to 2011, although researchers with vpnMentor, who discovered the leaky database, insist the information exposed is still pertinent to cyber criminals. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

“Given the nature of the files contained within the database, the information exposed is still relevant and could be used in many ways,” the researchers said.

“Had criminal hackers discovered this database, it would have been a goldmine for illicit activities and fraud, with potentially devastating results for those exposed.”

The open S3 bucket was discovered on 9 December 2019 and shut down ten days later after AWS responded to the researchers. 

The documents include thousands of passport scans, for instance, tax documents, background checks, paperwork relating to business taxes, scanned contracts with signatures, as well as emails and private messages.

This is on top of a treasure trove of personally identifiable information such as full names, addresses, phone numbers, and email addresses, as well as immigration statuses, salary details and details of individual consultants’ fees.

Having identified the database owner as just ‘CHS’, the researchers traced this back to CHS Consulting, a London-based consultancy firm. However, the researchers couldn’t completely verify the ownership of the database because this company has no website.

Advertisement - Article continues below

The companies whose files were exposed include, but are not limited to, Dynamic Partners, Eximius Consultants Limited, Garraway Consultants, IQ Consulting, Partners Associates Ltd, Winchester Ltd, researchers with vpnMentor have claimed. A handful of these firms have been dissolved.

Related Resource

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

vpnMentor discovered the leak as part of a wider web-mapping project, in which port scanning is used to examine IP addresses and test open holes in systems for any potential weaknesses.

“Our team was able to access this AWS S3 bucket database because it was completely unsecured and unencrypted,” the researchers added. “The purpose of this web mapping project is to help make the internet safer for all users.

“As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. 

Advertisement
Advertisement - Article continues below

“As we couldn’t reach out to the owner directly, we reached out to both the NCSC and Amazon, to let them know about the vulnerability but also to have them help us secure the data.”

The exposure of thousands of consultancy-related files is one of the first major data incidents of 2020, although it follows several similar leaks late last year. 

Advertisement - Article continues below

The same team of researchers, for example, in December 2019 found a trove of millions of text messages leaked through an exposed Microsoft Azure server owned by the US-based communications firm TrueDialog. 

Highly sensitive data belonging to the US Department for Homeland Security (DHS) and the US military to the tune 179GB was also leaked through an unsecured AWS S3 bucket, discovered in September and closed on 2 October 2019.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020