Unprotected AWS S3 bucket exposed sensitive data about apprentices

• The unsecured S3 bucket contained almost 143,000 entries that dated back to 2014.
• The documents included sensitive data about apprentices such as passport scans, visa details, employment agreements and performance warnings.

A privacy advocate from UK, Gareth Llewellyn uncovered an Amazon Web Services S3 bucket that was publicly accessible without any password protection.

The database is linked to an Australian non-profit called MEGT which provides recruitment and training services to local businesses.

What was exposed?

The leaky server contained offer letters and emails received by MEGT. The S3 bucket contained almost 143,000 entries that dated back to 2014.

• It also contained several documents related to invoices and work placement documents belonging to apprentices recruited by MEGT.
• The documents included sensitive data about apprentices such as passport scans, visa details, employment agreements and performance warnings.

What actions were taken?

MEGT does not own or manage the storage bucket. However, it has hired a third-party service provider to manage its data, who has set up the AWS S3 bucket.

Upon discovery, Llewellyn reported the leaky server to the Australian Signals Directorate and the bucket was secured restricting public access.

“The MEGT breach is notable both for the sensitivity of the information it appeared to contain and its scale. More than 143,000 items were in the S3 bucket. Not all of the items are documents: some filenames indicated they were copies of software,” Computerworld said.