Researchers have uncovered an unsecured Google Cloud database containing 800GB of personal user information.
The CyberNews research team discovered that the publicly accessible database, hosted on a Google Cloud server, contained more than 200 million detailed records.
Records included full names, titles, email addresses, phone numbers, dates of birth, credit ratings, detailed mortgage and tax records, home and mortgaged real estate addresses, demographics and detailed data profiles.
In a blog post, CyberNews explained: “It seems that much of the data on the main folder might have originated from the United States Census Bureau. Certain codes used in the database were either specific to the Bureau or used in the Bureau’s classifications.”
The database also contained two additional folders that were seemingly unrelated to the rest of the records. The folders included emergency call logs of a US fire department, and a list of some of the 74 bike share stations.
Despite the two folders not containing personal information, the call logs dated as far back as 2010 and included dates, times, locations and other emergency call metadata.
“The presence of the mapped bike share station locations and the call logs of the fire department may have indicated that the database might have been either a collection of stolen data or was used by several parties simultaneously, but we were unable to positively confirm this.”
CyberNews suspect that the main folder belonged to a data marketing firm or credit company, however, the research term were unable to identify the owner of the database.
It is not known how long the Google Cloud server was exposed for nor who accessed it However, on March 3, the entirety of the data present was wiped by an unknown actor. CyberNews explained that in the best case scenario, the deletion was done by an ethical hacker.
“While it’s unclear if any malicious actors have accessed the database before the wipe on March 3 or if the data was erased by a blackhat hacker, anyone who knew where to look could have accessed the data, without needing any kind of authentication,” CyberNews explained.
It should be noted that if accessed, cyber criminals could use the data to launch fraudulent schemes by utilising the names, email addresses and other private details of the affected users, in addition to launching cyber attacks.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/