Recently, sensitive data belonging to airport staff in Colombia and Peru was exposed due to an unsecured server. According to the SafetyDetectives cybersecurity team, the server belongs to Securitas. This Stockholm, Sweden-based organization provides on-site guarding, business risk management, electronic security solutions, and fire & safety services.
SafetyDetectives said in a report that one of Securitas’ AWS S3 buckets was not properly protected, exposing over one million data to the internet. The server had around 3TB of data, including airport staff information, dating back to 2018. While the team was unable to study every entry in the database, they were able to identify these four airports in the leaked files:
- El Dorado International Airport (COL)
- Alfonso Bonilla Aragón International Airport (COL)
- José María Córdova International Airport (COL)
- Aeropuerto Internacional Jorge Chávez (PE)
The two primary databases connected to Securitas and airport personnel were kept in the misconfigured AWS bucket, requiring no authentication to access. ID card photographs, personally identifiable information (PII), such as names, photos, occupations, and national ID numbers, were among the leaked documents.
Photographs of fueling lines, airline staff, planes, and luggage handling were also discovered in the bucket, as per SafetyDetectives. Unstripped .EXIF data in these images was stolen, revealing the time and date of their capture as well as specific GPS coordinates.
“Considering Securitas’ strong presence throughout Colombia and the rest of Latin America, companies in other industries could have been exposed,” researchers said. “It’s also probable that various other places that use Securitas’ security services are affected.”
The bucket also contained the application IDs specified within mobile applications. The IDs were used for airport operations, such as incident reports, which led the researchers to the most likely owner.
On October 28, 2021, the cybersecurity researchers contacted Securitas and followed up on November 2 after receiving no answer. Securitas had a meeting with the staff and protected the server the next day. The Swedish CERT was also notified.