Thousands of students’ personally identifiable information (PII) was exposed by a medical school in the United States.
vpnMentor issued a report on the security breach on Wednesday, in which an unprotected bucket was left online. The server, which lacked security restrictions and was thus open to the public, had 157GB of data, or little under 200,000 files.
The owner of the open system was identified as Phlebotomy Training Specialists once the researchers discovered it. Arizona, Michigan, Texas, Utah, and California are among the locations where the LA-based firm provides phlebotomy certification and training.
The documents stored inside were backed up from September 2020, according to vpnMentor, although some were produced before then.
The insecure Amazon S3 bucket had a variety of PII, including copies of ID cards and driving licenses and CVs with names, dates of birth, genders, student photographs, home addresses, phone numbers, email addresses, and professional as well as educational summaries.
Furthermore, over 27,000 tracking forms were discovered, some of which contained the last four digits of Social Security numbers, as well as student transcripts and images of training certificates.
The team at vpnMentor, led by Noam Rotem and Ran Locar, believes that between 27,000 and 50,000 persons were affected, including course applications and participants.
On September 7, three days after the S3 bucket was discovered, the researchers alerted Phlebotomy Training Specialists of their results. The researchers found two buckets, one of which had been closed while the other was still open.
“Once we confirmed that Phlebotomy Training Specialists was responsible for the data breach, we contacted the company to notify them and offer our assistance. After two attempts at contacting the company and receiving no reply, we reached out to AWS to see if it could assist in closing the breach as the host company. However, this also proved unsuccessful, so we contacted the United States Computer Emergency Readiness Team (US-CERT). While they replied the same day asking for more information, that was the last we heard from them. A few weeks later, US-CERT closed our support ticket on their website,” vpnMentor team detailed in the report.