Advertisement

752,000 US birth certificate applications were exposed online

TechCrunch discovered a data cache that isn’t protected by a password.

According to a report from TechCrunch, an online company that allows people in the US to obtain a copy of their birth certificate has exposed more than 752,000 applications. The case of negligence was discovered by Fidus Information Security, a company that conducts online penetration testing, and verified by TechCrunch. The two found that the company is storing the applications on an Amazon Web Services (AWS) cache that's not protected by a password. By simply entering the "easy-to-guess" address of the cache in a browser, a malicious visitor could access the documents held within. TechCrunch didn't disclose the name of the company to protect the privacy of those who used its service.

The applications include information like the applicant's name, their date of birth, current home address, email and phone number. Additionally, they included other details about people's lives, such as their previous address, the names of their family members and the reason they applied to get the documents in the first place.

The cache includes applications dating back to 2017. The company that maintains the database has added about 9,000 applications each day since TechCrunch started looking into it. The data cache also includes some 90,400 death certificate applications, but TechCrunch says it wasn't able to access or download those.

To make matters worse, beyond automated emails, the company hasn't responded to messages. Amazon, meanwhile, said it would notify the company of the exposure.

While the scale of this exposure isn't as big as we've seen in some past instances, it once again underscores the need for updated legislation related to how companies handle sensitive documents online. Earlier this year, a ProPublica investigation found that the medical data of some 5 million Americans was easy to obtain online. While the types of documents were different, in both cases ProPublica and TechCrunch found servers that weren't even password protected.