First National’s Amazon S3 Bucket Leaked, 6,000 Applicant Resumes Exposed

Amazon’s Cloud offering provides reasonable security tools in order to prevent technical infiltration from outside attempts. However, breaches due to unknown bugs, security exploits or plain old human error can occur to even the best safeguards current technology can offer. The use of the cloud as a storage container and remote application host has grown in an unprecedented rate, to a point that companies taking advantage of cloud services are becoming more and more dependents and confident with storing unencrypted files in their shared storage section of Amazon and other web services.

This what happened with Australia’s First National, a real-estate firm in the land down under. Their Amazon S3 bucket which contained unencrypted resumes and other personal records of 6,000 applicants and employees were leaked publicly. The following information was leaked:

• Full name
• Address
• Contact number
• Birthdate
• Educational Attainment
• Employment history
• And other auxiliary information that a typical application resume contains.

First National is now under the jurisdiction of the Australian Notifiable Data Breaches ruling, that legally compel companies to notify all information affected by a data breach, especially if the chance of being subjected to an identity theft campaign is highly imminent. The ruling is enforced by a state agency named Office of the Australian Information Commissioner (OAIC).

The real estate firm went public and issued a press release stating that the Sales Inventory profile used by a contracted recruitment agency is to blame for the breach. “First National immediately responded through every appropriate channel to ensure that its network had not breached or participated in any notifiable data breach. As this breach is not within First National’s responsibility, we, like all networks with the real estate industry are dependent upon the Sales Inventory Profile organisation complying with the necessary security arrangements. We are working with our affected offices, and more importantly, any applicants that have been affected,” explained Ray Ellis, Network Chief Executive, First National.

The leaked resumes and cover letters can be found floating online, a copy of the Amazon S3 bucket also contains around 300 psychometric exams questions and answers as well. Additional information such as technical skills, length of tenure with other companies and information about the applicants’ reference persons are also included in the breached data. That means there are more things than meets the eye, as 3rd party people who just happened to be the chosen personal references of the application lost their data as well.

It is not yet known if First National will spend for the applicants and employees credit protection service. Credit protection service, also known as credit monitoring service aggressively creates a 24/7 checking of the borrower’s financial actions for potentially fraudulent transactions. Stolen information can be used by the cybercriminals to pretend to be their victim, transacting on behalf of the original owner of the information.

Gareth Llewellyn, an information security officer for Brass Horn Communication stated in her Twitter account that she got hold from the Internet some lost records from the breach. He saw the information leaked documents himself, which are very glaring since these are enough information to pull off a very successful fraud transaction at the expense of the real owner of the data.