An exposed Amazon Web Services (AWS) S3 bucket belonging to RigUp was found to expose tens of thousands of private files belonging to organizations and individuals in the U.S. energy sector, vpnMentor reports.
Founded in 2014, United States-based RigUp is a labor marketplace and services provider for the country’s energy sector. The software company connects independent contractors with companies across the U.S.
The discovered database contained over 76,000 private files pertaining to both companies and individuals using the platform, vpnMentor says.
On March 10, the security firm discovered the exposed S3 bucket, which was labeled “ru”, and which contained many files featuring RigUp’s name, thus allowing for a quick identification of the owner.
The live database was over 100GB in size, containing data stored there between July 2018 and March 2020. In this database, RigUp was storing a broad range of files belonging to clients, contractors, job seekers, and candidates for employment.
Human resources-related files found in the database included employee and candidate resumes, personal photos (even private family photos), paperwork and IDs related to insurance policies and plans, professional IDs, profile photos (including US military personnel), and scans of professional certificates in different fields.
A considerable amount of personally identifiable information (PII) was included in these files, such as full contact details (names, addresses, phone numbers, home addresses), Social Security information, dates of birth, insurance policy and tax numbers, personal photos, and additional information related to education, professional experience, and personal lives.
Internal records related to business operations, projects, and corporate relationships of many energy firms were also found in the database, including project proposals and applications, project outlines, technical drawings for drilling equipment, and corporate insurance documents.
“Had malicious hackers discovered this database, it would have been an absolute goldmine for various fraud schemes and criminal attacks against everyone involved,” vpnMentor says.
The root cause of the issue, the security firm notes, was that RigUp did not properly secure the database, thus exposing information on thousands of individuals. However, the company was quick to address the issue after being alerted on the matter.
“These kinds of breaches are almost always tied back to human error, either not following documented instructions or failing to automate an important security step during deployment. The answer remains to continuously increase awareness of the risks associated with cyber security and the importance of being vigilant any time a human action is involved. Creating this culture of awareness is the first and most important step any organization can take in decreasing their cyber exposure,” Bill Santos, president of Cerberus Sentinel, said in an emailed comment.