Unsecured AWS server exposed 3TB in airport employee records
An unsecured server has exposed sensitive data belonging to airport employees across Colombia and Peru.
On Monday, the SafetyDetectives cybersecurity team said the server belonged to Securitas. The Stockholm, Sweden-based company provides on-site guarding, electronic security solutions, enterprise risk management, and fire & safety services.
In a report shared with ZDNet, SafetyDetectives said one of Securitas’s AWS S3 buckets was not appropriately secured, exposing over one million files on the internet.
The server contained approximately 3TB of data dating back to 2018, including airport employee records. While the team was not able to examine every record in the database, four airports were named in exposed files: El Dorado International Airport (COL), Alfonso Bonilla Aragón International Airport (COL), José María Córdova International Airport (COL), and Aeropuerto Internacional Jorge Chávez (PE).
The misconfigured AWS bucket, which did not require any authentication to access, contained two main datasets related to Securitas and airport employees. Among the records were ID card photos, Personally identifiable information (PII), including names, photos, occupations, and national ID numbers.
In addition, SafetyDetectives says that photographs of airline employees, planes, fueling lines, and luggage handling were also found in the bucket. Unstripped .EXIF data in these photographs was exfiltrated, providing the time and date the photographs were taken as well as some GPS locations.
“Considering Securitas’ strong presence throughout Colombia and the rest of Latin America, companies in other industries could have been exposed,” the researchers say. “It’s also probable that various other places that use Securitas’ security services are affected.”
Application IDs listed within mobile apps were also stored in the bucket. The IDs were used for airport activities, including incident reports, pointing the researchers to the likely owner in the first place.
The cybersecurity researchers reached out to Securitas on October 28, 2021, and followed up on November 2 after receiving no response. Securitas engaged in conversation with the team and secured the server on the same day. Swedish CERT was also informed,
ZDNet has reached out to Securitas, and we will update when we hear back.
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0