Insecure Amazon S3 bucket exposed personal data on 500,000 Ghanaian graduates
Cloud storage misconfiguration left sensitive data openly accessible
NSS administers mandatory one-year public services programs that are compulsory for most Ghanaian graduates and involve thousands of young people working in sectors such as healthcare and education for 12 months as a form of national service.
Some of the three million files related to NSS’s work and held on an AWS S3 bucket were password protected but many were not – an oversight that exposed data of an estimated 500,000-600,000 people from March 2018 to the end of 2021, vpnMentor said.
Cloud storage misconfiguration
The AWS S3 bucket itself was neither encrypted nor password protected. The instance was misconfigured, and password protection was applied inconsistently so that open versions of sensitive passwords-protected files were accessible in other directories, vpnMentor reports.
Information held on the cloud-based storage system included personal information, scans of ID cards and pictures as well as employment records. The same bucket also held employment notices payment receipts and internal correspondence files from the NSS.
The exposed information potentially left thousands of Ghanaians at a greater risk of phishing, tax fraud and other forms of identity fraud.
Researchers from vpnMentor said that many of the documents contained the NSS logo and text directly related to the scheme.
The incident (along with suggested remediation advice) was reported both to NSS and Ghana’s Computer Emergency Response Team (GH-CERT).
The Daily Swig approached GH-CERT for comment on the incident. In response, GH-CERT confirmed the alleged breach was under investigation:
The report which you referred is under investigations with relevant bodies.
Consistent with operational procedures and best practices, the Cyber Security Authority cannot comment on matters under investigations [sic].
VpnMentor first discovered the alleged breach on September 29, notifying authorities on October 6 at the start of a somewhat protracted disclosure process.
In follow-up questions, The Daily Swig asked GH-CERT for confirmation that any exposed AWS S3 buckets had been rendered publicly inaccessible. No word back as yet, but we’ll update this story as and when more information comes to hand.
YOU MAY ALSO LIKE New tool help you find open Amazon S3 buckets