Unsecured database exposes passport scans of thousands of British consulting professionals

Passport scans and other personal data was stored on an Amazon Web Services S3 bucket by a company called CHS Consulting

An unsecured database on Amazon has been discovered exposing sensitive information on thousands of British consultancy firms as well as working professionals.

The database was found by Noam Rotem and Ran Locar, two researchers at cyber security firm vpnMentor, who claimed that it was stored on an Amazon Web Services (AWS) S3 bucket and was leaking information belonging to HR departments of various British consultancy firms, as well as professionals.

The researchers said they were able to see all files stored in the database, including thousands of passport scans, tax documents, background checks, job applications, expense forms, scanned contracts, emails, and salary details.

The unencrypted database had been exposed for an unknown amount of time, and contained everything a cyber crook would need to carry out fraud or identity theft

The files contained a range of personally identifiable information (PII) of working professionals, including their names, phone numbers, addresses, dates of birth, and national insurance numbers.

The unencrypted database had been exposed for an unknown amount of time, and contained everything a cyber crook would need to carry out fraud, identity theft, or other malicious activities.

Most of the compromised files dated back to financial year 2014/15, with some even going back to 2011.

The database owner was identified as 'CHS', which researchers traced back to CHS Consulting, a firm based in London. The ownership of the database could not be fully confirmed, as the company has no website.

The consultancy firms whose files were exposed in the breach, include Garraway Consultants, Dynamic Partners, IQ Consulting, Eximius Consultants Limited, Winchester Ltd, Partners Associates Ltd, and others. Many of these firms are no longer in business, according to the researchers.

The unsecured S3 bucket was discovered on 9th December 2019 and was reported to the AWS and UK's Computer Emergency Response Team (CERT). The database was finally taken offline by AWS on 19th December.

Notably, it was not the fault of AWS, researchers said, and was likely the result of the bucket owner's negligence.