It seems like nothing is safe anymore when it comes to online storage. Suffice it to say that if you have a document stored online, there’s a danger of it becoming public at some point or of having it hacked. Worse yet, sometimes the safety of your documents are just completely out of your control.
Even birth certificates. An online company that allows people to request a copy of their United States birth certificate exposed more than 750,000 applications. These applications were being stored on a cache that wasn’t protected by a password.
Birth Certificate Applications Vulnerable
Birth certificates are used for many reasons of verification of who you are. It’s a form of identification so that you can … get another form of identification, such as a driver’s license, passport, etc. If yours gets into the wrong hands, anyone could use that to obtain any information of you or even steal your identity.
Fidus Information Security, a company that does online penetration testing, discovered this egregious insecurity, with their discovery being verified by TechCrunch.
More than 752,000 applications for copies of birth certificates were found on an Amazon Web Services storage bucket. This same bucket also had 90,400 death certificate applications, but these couldn’t be accessed or downloaded as easily as the birth certificates. This bucket was nor protected with a password. This means anyone who could get the web address could access the information stored on these birth certificates.
The application process differs by state, but the result is the same. People can use this service to apply to a state’s record-keeping bureau to obtain a copy of their birth. This usually includes their full name, date of birth, current home address, email, phone number, and historical personal information, including past addresses and names of family members, as well as the reason for requesting the birth certificate.
The applications that were found date back to 2017, but this doesn’t mean just babies born in the last two years, as you can request a copy of your birth certificate at various different times in your life. In just one week the company, which was not named by TechCrunch, added about 9,000 applications to the bucket.
Before the TechCrunch article was published, several emails were sent to warn the company of the exposed data, but they only received automated emails in return, with no action being taken. Amazon was reached but refused to intervene, yet agreed to inform their customer. The local data protection authority was notified as well.
There can be no excuses for this. Leaving such sensitive data open without even a password is just egregious. Just think of all the talk we do of security and privacy and measures that must be taken and that a simple password isn’t enough — this company didn’t even do that, not even a password.
What do you think should be done in this instance? Should this company be punished? Would that even matter, though, as the damage has already been done. Tell us what you think about these birth certificate applications being left unprotected online.