Printing company exposes 343GB of sensitive military data

The leak is the latest in a series of data blunders discovered by vpnMentor's web-mapping project

UK Printing company Doxzoo inadvertently exposed 343GB of data through a misconfigured Amazon Web Services (AWS) S3 bucket, including sensitive information said to relate to branches of the UK and US military.

Potentially more than 100,000 users were affected by the data leak, with approximately 270,000 records exposed including personal information and payment information, as well as order details, passport information, and the contents of printing orders.

Among the exposed data was the copyrighted and sensitive work of Doxzoo clients, who spanned from military personnel to screenwriters. Researchers with vpnMentor, led by Noam Rotem and Ran Locar, found a wide range of information including university course material, screenplays, and internal military documents, some of which contained classified information.

“The items contained this leak often hold private and/or confidential information within,” said vpnMentor’s research team. 

“The promise of secure facilities and systems are key selling points for clients such as the military, and the breach of that guarantee is not only a failure in service, but also potentially holds a security risk along with it.”

The security firm has been finding pockets of exposed information for many months as part of a wider web-mapping project, and have recently detailed finding several alarming troves of exposed data.

These findings include a database of 604GB of text messages run by US-based communications firm TrueDialog, as well as sensitive information from British consultancy firms and consultants such as passport scans and financial documents.

The firm previously discovered exposed US military data in October 2019 due to a flaw in a reservations management system owned by the Best Western hotel chain. Personnel working for the US Department for Homeland Security (DHS) and the military was seen by researchers from vpnMentor, including travel arrangements both past and future.

Related Resource

How enterprises are embracing cyber security challenges

Enterprises across Europe, the Middle East and Africa are undergoing a significant transformation

Download now

The countries affected include not just the US and the UK, but clients in Sri Lanka, Nigeria and India, according to researchers. The UK-based printing company has a number of high profile clients and projects, including full-length books and sought-after paid wellness plans.

Doxzoo could have avoided this leak if they had taken basic security measures to protect the S3 bucket, vpnMentor said, including securing their servers, implementing proper access rules, and preventing system that don't need authentication from being accessed by the public through the internet.

The firm first discovered the exposed database on 22 January, before notifying the company four days later. Because Doxzoo didn’t respond to vpnMentor’s communication attempts, Amazon was notified on 5 February, and the bucket was finally closed on 11 February.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

How to protect against a DDoS attack
Security

How to protect against a DDoS attack

17 Sep 2020
Fitness Depot notifies customers of data breach
data breaches

Fitness Depot notifies customers of data breach

8 Jun 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Google removes 17 apps infected with evasive ‘Joker’ malware
malware

Google removes 17 apps infected with evasive ‘Joker’ malware

28 Sep 2020