Ecommerce service exposed passports, ID details of users

S3 bucket included details of individuals included in the Dow Jones Watchlist

Sensitive personal details of individuals, including whether they appeared on the Dow Jones Watchlist of risky individuals, were exposed by a publicly accessible Amazon Web Services S3 bucket.

The documents in the S3 bucket, which was locked down earlier this week, were associated with the New Zealand operation of ecommerce service Cloud Union. Cloud Union, which originally launched in China, operates a plug-in loyalty service for its merchant clients. Consumers can sign up to the service and earn redeemable reward points across participating merchants.

The service has a presence in a number of markets outside China, including AustraliaMalaysiaSouth Korea, Taiwan and the United States.

The S3 bucket housed dozens of scanned or photographed passports as well as electronic identification verification (EIV) checks.

EIV checks conducted through Verifi include a range of sensitive information including the relevant individual's name and address, date of birth, NZ driver’s licence number, and whether the ID details match those held by the NZ Transport Agency and Centrix.

In addition Verifi reports include a list of individuals who appear the Dow Jones Watchlist that may match the subject individual, including indicators of risk (such as being a PEP or having been subject to adverse criminal or civil legal actions).

The S3 bucket appeared to have been created as part of a test.

Cloud Union did not respond to a request for comment.

The bucket was locked down shortly after CERT NZ and the company were alerted to the breach.

Unlike Australia, New Zealand does not yet have any form of mandatory data breach notification scheme, although a new Privacy Bill that would introduce a notification regime is currently being considered.

Australia’s mandatory breach notification scheme took effect in February 2018. In the first four full quarters of the scheme, the OAIC received notifications of 964 breaches, with 60 per cent related to criminal or malicious acts.

Open S3 buckets have been linked to a number of high-profile data breaches.

Last month Australian training company MEGT confirmed that a service provider it had engaged had left student information in an unsecured bucket. The data included identification details, educational data, transaction data, health data and passport and visa details.

ASX-listed property valuation firm LandMark White saw a significant drop in revenue after some its major clients suspended their use of its services following an S3-linked data breach.

Around 100 million people in the US and 6 million in Canada have been affected by the Capital One breach, which involved data stored on S3. However, in that case the breach has been attributed to a misconfigured web application firewall rather than a publicly accessible bucket.