AWS Cloud Leaks ID Cards And Fingerprints

November 18, 2020

Return to Learning Center

A company on AWS S3 experienced a big problem.

Sometimes technology is really hard to get right in the absolutely most important and critical moments. Amazon's Cloud Storage options are widely used safely for many mission critical tasks around the Internet. However, they are not immune to being setup poorly and exposing users' personal data. Unfortunately, a misconfigured AWS S3 bucket on the Amazon cloud was discovered from a California electronics retailer that has exposed over 2.6 million files, including ID cards and fingerprint biometric images. Security Experts at Website Planet traced this back to California-based TronicsXchange, previously known as GreenElectronicsExchange. A periodic scan for server vulnerabilities led to the discovery of the unprotected S3 bucket on October 12, 2020. The company itself appeared to be closed, with an non-functional contact email and its website not accessible, but Website Planet contacted AWS two days later and the issue was ultimately repaired.

Of the millions of files and data points in the database, perhaps the most concerning for customers was the 80,000 or so images of personal identification cards such as driver’s licenses, and 10,000 fingerprint scans. Each driver’s license photo exposes multiple pieces of information about that individual, including license number, full name, birthdate, home address, gender, hair and eye color, height and weight, and a photo of the individual, among other things. This is very concerning for those users' privacy.

According to the report the leaked data mostly relates to Californians who visited TronicsXchange stores in 2012-15. It’s unclear if any malicious actors found the exposed data store before the leak could be plugged. Experts warned that the personal data could have been used to apply for credit cards or open bank accounts. Identity theft is a great concern when it comes to Personally identifying information (PII) being exposed.

We hope you enjoyed reading this guide and learned something new! Check out our Learning Center to learn more about online privacy and security or consider subscribing to our Online Privacy Service to remove your phone number, name, and address from Google, Bing, Yahoo, and DuckDuckGo search results and hundreds of data broker sites.