A non-profit organization that operates Los Angeles County's social services hotline has accidentally exposed a trove of personal data and highly sensitive details of people who called to report problems abuse, crisis, and other health or human-services related problems. On March 14, UpGuard researchers discovered a trove of downloadable files stored in unsecured, anonymously accessible Amazon AWS S3 bucket.
The storage bucket contained the access credentials for those operating the Los Angeles County 211 system, email addresses for contacts and registered resources of LA County 211, over 3 million rows of call logs and 200,000 rows of detailed call notes logged between 2010 and 2016. These call notes included "graphic descriptions of elder abuse, child abuse and suicidal distress."
The leak exposed the full names, phone numbers, addresses of many victims, alleged perpetrators and witnesses in numerous cases of physical and sexual abuse. Around 33,000 full Social Security numbers and over 300,000 email addresses were also included. The S3 bucket also listed the names, email addresses and weakly hashed passwords of 384 LA County 211 service users as well.
"In the event the encryption was defeated, these passwords would not only make 211LA.org accounts vulnerable, but open individuals up to attacks on other platforms if they have reused their passwords, as many people do," researchers noted. "The other contents of the bucket indicate that LA County 211 uses remote desktop applications to administer their resources, meaning that users and passwords compromised from this public file could potentially be used to remotely access other systems and gain further data."
While some of the files had additional rules to prevent public users from downloading them, others including the Postgres database backup and CSV exports containing the sensitive call records were publicly downloadable.
"These notes describe the reason for the calls, including personally identifying information for people reporting the problem, persons in need, and, where applicable, their reported abusers," researchers noted. "Despite 211’s dedication to preserving the confidentiality of reports, a technical misconfiguration - in this case, an inadvertently public cloud storage instance - exposed not only email addresses and weakly hashed passwords for LA County 211 employees, but six years of highly sensitive call logs regarding some of the most vulnerable people in LA County."
In one instance, the call notes described a serious mental issue and incident of possible domestic violence. Another detailed possible drug abuse and a suicidal crisis, researchers said.
Researchers attempted to notify LA County 211 of the incident immediately who were eventually made aware of the issue on April 24. The exposed database was secured within 24 hours. It is not immediately clear how long the information was publicly exposed and if it was accessed by any malicious actors.
LA County's chief information security officer Ralph Johnson told the Los Angeles Times that the data was "innocuous log information", but noted it was not supposed to be public. Maribel Marin, LA County 211's executive director, said its network undergoes security audits and employees receive training in medical privacy laws. She also noted that the organization contracts with Amazon for storage due to its security saying: "It's very hard for anyone in the general public to get access to the Amazon cloud."
However, anyone with the right URL to a misconfigured, publicly accessible AWS S3 bucket can access its contents, or in this case, even download the data.
"The specific work done by 211 adds another layer of sensitivity on top of the normal things digital businesses have to worry about, such as user credentials being exploited, or systems being compromised," researchers said. "Those could damage the business. But it should be self-evident how the detailed and not-anonymized call records of an emergency, crisis, and abuse hotline could be used to hurt any number of individuals involved. There are few situations that call for greater confidentiality.
"Any loss of trust in a crisis and abuse reporting system will deter people from using it, removing one of the few mechanisms available to people in need," UpGuard added. "The public dispersal of the information contained in the LA County 211 files could be extremely damaging to those involved, and measures taken to protect such information should be equal to those repercussions."