We recently discovered an unsecured Microsoft Azure Blob that contains deeply sensitive documents of more than 12,000 construction workers, including scans of passports, national IDs, birth certificates, and tax returns. The cloud storage also contains self-employment contracts that include personally identifiable information such as full names, addresses, UK national insurance numbers, and signatures.
The database appears to belong to Nohow International, a UK-based recruitment and staffing agency that provides blue- and white-collar personnel services to companies across the UK and other countries.
On December 8, we reached out to Nohow regarding the leak but received no response from the company. We then reported the leak to Microsoft CERT on December 15 and the blob was secured sometime in early January.