UPDATED A UK agency for freelance doctors has potentially exposed personal details relating to 3,200 individuals via unsecured S3 buckets, which one expert said could be used to launch ID theft attacks or blackmail.
Lantum, an online locum doctor agency, had left the storage accessible on its old backend system, Network Locum, according to researchers. Cybernews discovered the Amazon AWS S3 bucket, potentially exposing 98,000 files relating to thousands of individuals.
The security analysis company monitors various cloud blob storage to understand the potential for misconfiguration. In the process, it discovered the Lantum S3 bucket, which was accessible and indexed on some IoT search engines. The analysts said any malicious actor could have found the repository of personal data relating to the 2014-2016 period.
“We then tried to contact Lantum multiple times with no response. We have asked for NCSC help and were advised to report it to NHS too. However, after multiple attempts, we received no response,” the researchers said. The bucket was closed almost immediately after the publication.