A company that lets people download birth certificates from various state governments did a really dumb thing. It left 752,000 applications for copies of birth certificates on an unsecured Amazon Web Services server with an easy to guess URL. Yikes.
The leak was confirmed by Fidus Information Security, a British firm, and first reported by TechCrunch on Monday, and it’s a doozie. The applications, which dated back to late 2017, were updated daily, making it even more remarkable that no one raised a red flag in two years.
Applications contained loads of personal information, including the “applicant’s name, date-of-birth, current home address, email address, phone number and historical personal information, including past addresses, names of family members and the reason for the application — such as applying for a passport or researching family history.”
Applications from many states, including Florida, Texas, and California. were found in the “bucket.”
It’s one thing for a company to fall victim to a sophisticated cyberattack. It’s another for it to just put secure information online without even a password to protect it. It’s the kind of thing your computer illiterate in-laws or naive kids might do.
The cherry on top of this disaster are the automated emails TechCrunch received when it tried to alert the company to the situation. It also reached out to Amazon, which said it would alert its client. Nothing it’s done has inspired a lot of faith that it will proactively and effectively aid the people whose information was exposed.
So if you’ve requested a birth certificate online through a third-party company for you or your kid, we’d recommend taking some proactive steps now.
- Reach out to the company you used to see if your information was exposed.
- Change the passwords on your most important accounts (as you should regularly) and make sure to complicated, difficult-to-guess new ones.
- Check your credit to make sure you don’t have any suspicious changes.
- If you haven’t already, consider signing up for a credit and/or identity theft monitoring service.
Thankfully, it looks like most states don’t ask for super-sensitive information like a Social Security, driver’s license, or passport number, so this leak could be a lot worse. But still, having your name, address, phone number, and email address out there is decidedly not ideal, and it’s worth your time to make sure no one is using your personal information to nefarious ends.