In this day and age, we would like to think that any company handling our personal data has put in place the necessary controls in order to protect that data from falling into the wrong hands. With security breaches becoming more and more common and personal data being sought after by hackers and criminals for use in identity fraud, you would like to believe that our data is stored securely. Well, that’s not always the case.
Our team recently conducted research into how easily personal data can be found online by hackers and the results are nothing less than shocking. Using specific search operators, we were able to find scanned images of personal identity documents such as passports and driving licenses with some parameters resulting in thousands of passports being found freely available on the internet for anyone to view.
Leaked data types
Not only were passports and driving licenses from several different countries observed but also images of legitimate debit cards, birth certificates and CV’s from multiple organisations were discovered.
It appeared that most of the documents had been uploaded by their owners via an online content management system. However, the organisations who own the websites had failed to adequately protect sensitive data from either being accessed directly or crawled by search engines. This may be due to the software’s default permissions, which are not satisfactory for this kind of personally identifiable information.
All search engines have technologies called ‘spiders’ which scour the internet detecting links and following them, adding the discovered content to the search engines index. Thus, being searchable.
Bridewell have made contact and continue to make contact with these companies, in order to provide them with clear guidance on securing this data online. With the introduction of new laws like the General Data Protection Regulation (GDPR), the penalties for a data breach of this nature are significant, as this is clearly an unacceptable level of protection over vast amounts of personal data. Some freely available information can be found online from organisations such as OWASP on securing online applications and we recommended that companies have their systems penetration tested at least annually in order to find vulnerabilities before any malicious individuals, hackers or organised cyber criminals find them.