Menu
Ecommerce service exposed passports, ID details of users

Ecommerce service exposed passports, ID details of users

S3 bucket included details of individuals included in the Dow Jones Watchlist

Sensitive personal details of individuals, including whether they appeared on the Dow Jones Watchlist of risky individuals, were exposed by a publicly accessible Amazon Web Services S3 bucket.

The documents in the S3 bucket, which was locked down earlier this week, were associated with the New Zealand operation of ecommerce service Cloud Union. Cloud Union, which originally launched in China, operates a plug-in loyalty service for its merchant clients. Consumers can sign up to the service and earn redeemable reward points across participating merchants.

The service has a presence in a number of markets outside China, including AustraliaMalaysiaSouth Korea, Taiwan and the United States.

The S3 bucket housed dozens of scanned or photographed passports as well as electronic identification verification (EIV) checks.

EIV checks conducted through Verifi include a range of sensitive information including the relevant individual's name and address, date of birth, NZ driver’s licence number, and whether the ID details match those held by the NZ Transport Agency and Centrix.

In addition Verifi reports include a list of individuals who appear the Dow Jones Watchlist that may match the subject individual, including indicators of risk (such as being a PEP or having been subject to adverse criminal or civil legal actions).

The S3 bucket appeared to have been created as part of a test.

Cloud Union did not respond to a request for comment.

The bucket was locked down shortly after CERT NZ and the company were alerted to the breach.

Unlike Australia, New Zealand does not yet have any form of mandatory data breach notification scheme, although a new Privacy Bill that would introduce a notification regime is currently being considered.

Australia’s mandatory breach notification scheme took effect in February 2018. In the first four full quarters of the scheme, the OAIC received notifications of 964 breaches, with 60 per cent related to criminal or malicious acts.

Open S3 buckets have been linked to a number of high-profile data breaches.

Last month Australian training company MEGT confirmed that a service provider it had engaged had left student information in an unsecured bucket. The data included identification details, educational data, transaction data, health data and passport and visa details.

ASX-listed property valuation firm LandMark White saw a significant drop in revenue after some its major clients suspended their use of its services following an S3-linked data breach.

Around 100 million people in the US and 6 million in Canada have been affected by the Capital One breach, which involved data stored on S3. However, in that case the breach has been attributed to a misconfigured web application firewall rather than a publicly accessible bucket.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cyber securitydata breaches

Brand Post

Featured

Slideshows

Reseller News Innovation Awards 2019: meet the winners

Reseller News Innovation Awards 2019: meet the winners

Reseller News honoured the standout players of the New Zealand channel in front of more than 480 technology leaders in Auckland on 23 October, recognising the achievements of top partners, emerging entrants and innovative start-ups.

Reseller News Innovation Awards 2019: meet the winners
Malwarebytes shoots the breeze with channel, prospects

Malwarebytes shoots the breeze with channel, prospects

A Kumeu, Auckland, winery was the venue for a Malwarebytes event for partner and prospect MSPs - with some straight shooting on the side. The half-day getaway, which featured an archery competition, lunch and wine-tasting aimed at bringing Malwarebytes' local New Zealand and top and prospective MSP partners together to celebrate recent local successes, and discuss the current state of malware in New Zealand. This was also a unique opportunity for local MSPs to learn about how they can get the most out of Malwarebytes' MSP program and offering, as more Kiwi businesses are targeted by malware.

Malwarebytes shoots the breeze with channel, prospects
Show Comments