A team of ethical hackers at Wizcase found a major breach exposing a number of US cities, all of them using the same web service provider aimed at municipalities. This breach compromised citizens’ physical addresses, phone numbers, IDs, tax documents, and more.
Due to the large number and various types of unique documents, it is difficult to estimate the number of people exposed to this breach. The data was left without password protection and neither was it encrypted.
Over 100 US cities appeared to be using the same product, mapsonline.net, provided by an American company named PeopleGIS.
The municipalities’ data was stored in various misconfigured Amazon S3 buckets, that shared a similar naming convention to MapsOnline. WizCase believes that these cities are using the same software solution. Their team reached out to the company in question and the buckets since then have been secured
114 Amazon Buckets were named after the same pattern, revealing the connection to PeopleGIS. Among these, 28 appeared to be properly configured (meaning they weren’t accessible), and 86 were accessible without any password nor encryption.
This means there are 3 options:
- PeopleGIS created and handed over the buckets to their customers (all municipalities), and some of them made sure these were properly configured;
- The buckets were created and configured by different employees at PeopleGIS, and there were no clear guidelines regarding the configuration of these buckets;
- The Municipalities created the buckets themselves, with PeopleGIS guidelines about the naming format but without any guidelines regarding the configuration, which would explain the difference between the municipalities whose employees knew about it or not.
What was exposed?
80 misconfigured Amazon S3 buckets holding data related to these municipalities, totalling over 1000 GB of data and over 1.6 million files. The type of files exposed varied by municipality. This variance and the number of municipalities involved means there was no way to give a clear estimate of the number of people left vulnerable in this breach.
The type of documents exposed includes business licenses, residential records such as deeds, tax information, and resumes for applicants to government jobs. Information exposed in the breach include (but isn’t limited to):
- Email address
- Physical address
- Phone number
- Drivers license number
- Real estate tax information
- Photographs of individuals (on drivers licenses)
- Photographs of properties
- Building and city plans
Some of the vulnerable documents were redacted, but they were digitally redacted using transparent tools like a marker. This means whoever found them could change the contrast level of the document in a photo editor and see the redacted information. This means even documents that were redacted were potentially vulnerable in this breach.
The breach could lead to massive fraud and theft from citizens of those municipalities. The highly sensitive nature of the data contained within a local government’s database, from phone numbers to business licenses to tax records, are highly susceptible to exploitation by bad actors.
Thanks to WizCase and team that the data has now been secured.
For more details: https://www.wizcase.com/blog/us-municipality-breach-report/