Printing company exposes 343GB of sensitive military data

The leak is the latest in a series of data blunders discovered by vpnMentor's web-mapping project

UK Printing company Doxzoo inadvertently exposed 343GB of data through a misconfigured Amazon Web Services (AWS) S3 bucket, including sensitive information said to relate to branches of the UK and US military.

Potentially more than 100,000 users were affected by the data leak, with approximately 270,000 records exposed including personal information and payment information, as well as order details, passport information, and the contents of printing orders.

Among the exposed data was the copyrighted and sensitive work of Doxzoo clients, who spanned from military personnel to screenwriters. Researchers with vpnMentor, led by Noam Rotem and Ran Locar, found a wide range of information including university course material, screenplays, and internal military documents, some of which contained classified information.

“The items contained this leak often hold private and/or confidential information within,” said vpnMentor’s research team. 

“The promise of secure facilities and systems are key selling points for clients such as the military, and the breach of that guarantee is not only a failure in service, but also potentially holds a security risk along with it.”

The security firm has been finding pockets of exposed information for many months as part of a wider web-mapping project, and have recently detailed finding several alarming troves of exposed data.

These findings include a database of 604GB of text messages run by US-based communications firm TrueDialog, as well as sensitive information from British consultancy firms and consultants such as passport scans and financial documents.

The firm previously discovered exposed US military data in October 2019 due to a flaw in a reservations management system owned by the Best Western hotel chain. Personnel working for the US Department for Homeland Security (DHS) and the military was seen by researchers from vpnMentor, including travel arrangements both past and future.

Related Resource

How enterprises are embracing cyber security challenges

Enterprises across Europe, the Middle East and Africa are undergoing a significant transformation

Download now

The countries affected include not just the US and the UK, but clients in Sri Lanka, Nigeria and India, according to researchers. The UK-based printing company has a number of high profile clients and projects, including full-length books and sought-after paid wellness plans.

Doxzoo could have avoided this leak if they had taken basic security measures to protect the S3 bucket, vpnMentor said, including securing their servers, implementing proper access rules, and preventing system that don't need authentication from being accessed by the public through the internet.

The firm first discovered the exposed database on 22 January, before notifying the company four days later. Because Doxzoo didn’t respond to vpnMentor’s communication attempts, Amazon was notified on 5 February, and the bucket was finally closed on 11 February.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021
Neiman Marcus data breach hits 4.6 million customers
data breaches

Neiman Marcus data breach hits 4.6 million customers

4 Oct 2021
Indiana notifies 750,000 after COVID-19 tracing data accessed
data breaches

Indiana notifies 750,000 after COVID-19 tracing data accessed

18 Aug 2021
Pearson fined $1 million for downplaying severity of 2018 breach
data breaches

Pearson fined $1 million for downplaying severity of 2018 breach

17 Aug 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021