An anonymous security researcher discovered an unprotected AWS bucket owned by outsourcing giant Capita which had been left exposed on the internet since 2016. The bucket contained nearly 3,000 files worth roughly 655GB in size. The security researcher had informed Capita of the breach in late April and the company secured the bucket within the week.
The researcher told Techcrunch that there was no password protection on the bucket, meaning if someone could guess the web address, they would gain access to the files straight away. This exposed bucket was also indexed by GrayHatWarfare, a database that indexes cloud storage exposed to the internet.
Exposed files from the bucket included server images, Excel spreadsheets, Powerpoint presentations as well as software and text files. One of these files also contained login credentials for one of Capita’s systems. Some of the file names suggest that data was still being uploaded to the bucket in 2023.
We don’t know at the moment whether or not the exposed data belonged to Capita customers, which include prominent British government bodies such as the National Health Service and the Department for Work and Pensions. However, considering just how quickly the bucket was protected once the matter was brought to Captia’s attention, there’s a good chance that at least some of the exposed files weren’t supposed to be available on the internet.
Regardless, this has cast a bad shadow over Capita’s data handling practices. The company doesn’t even have a responsible disclosure program or a dedicated security contact. To make matters worse, Capita was only recently attacked by the Black Basta ransomware group in March. The breach happened “on or around” March 22 and was interrupted by Capita on March 31, according to the company’s statement on the incident.
The researcher, however, believes that the two incidents are separate. The damage caused by the exposed bucket is unknown at the moment, but Capita did admit in April that it had seen some evidence of data exfiltration that could potentially include customer, supplier or colleague data.
Samples of this data included bank account details, passport photos and driver’s licenses, in addition to the personal data of teachers applying for jobs at various schools. That said, Capita does suspect that at least some pension-related data has likely been stolen. As for Black Basta, the ransomware gang is yet to publicly release Capita’s files, with no news on whether or not a ransom demand was paid.
In the News: Critical flaw in phone adapter can give attackers access: Cisco