Security researchers at Website Planet have discovered an unsecured Amazon S3 bucket containing the Personal Identifiable Information (PII) of millions of people.
Inside the bucket were ten folders, containing around 6,000 files and totaling over 1GB of data. While most (approximately 99%) of the data belongs to American residents, some information relates to people living in Canada.
In a blog post detailing the security failure, researchers claim that the unsecured bucket is the property of Beetle Eye–a marketing and CRM company which is based in Sarasota, Florida.
“We know that Beetle Eye owns the misconfigured Amazon S3 bucket because of references to the company inside the bucket,” wrote the researchers.
Beetle Eye’s clients include the Hilton Sandestin Beach, the Marigot Bay resort, Grand Junction Colorado and Miles Partnership.
Researchers said the PII was publicly accessible to all internet users because the bucket had not been configured correctly. No password protection or encryption had been implemented to secure its contents.
Exposed records contained several forms of PII including names, phone numbers, email addresses and mailing addresses. Researchers were also able to access answers individuals had given to survey questions.
“Specifically, this data relates to the ‘leads’ of the companies using Beetle Eye’s marketing automation platform,” wrote researchers. “In other words, the data exposed most likely belongs to potential customers of Beetle Eye’s clients.”
Three different datasets–Unnamed leads, GoldenIsles.com leads and Colorado.com leads–were found inside the bucket.
Researchers estimated that the PII of around seven million unique users was exposed in this data breach.
“This estimate is based on a sample of roughly 0.124GB of .csv files, taking duplicates into account,” they stipulated.
After discovering the open bucket on September 9 2021, Website Planet sent a responsible disclosure of the data breach to Beetle Eye and its parents company, Atlantis Labs, on the same day. The researchers also disclosed the breach to AWS and the USA Computer Emergency Response Team (CERT).
“We suggest Beetle Eye (and companies in general) always double-check their databases to make sure they are secure,” said the researchers.
“It’s also advised companies assess the security of their databases at regular intervals.”