Over 80 US Municipalities’ Sensitive Information, Including Resident’s Personal Data, Left Vulnerable in Massive Data Breach

Pierluigi Paganini July 23, 2021

WizCase’s team of ethical hackers, led by Ata Hakçıl, has found a major breach exposing a number of US cities, all of them using the same web service provider aimed at municipalities.

Original post at https://www.wizcase.com/blog/us-municipality-breach-report/

This breach compromised citizens’ physical addresses, phone numbers, IDs, tax documents, and more. Due to the large number and various types of unique documents, it is difficult to estimate the number of people exposed in this breach. There was no need for a password or login credentials to access this information, and the data was not encrypted.

What’s Happening?

Over a 100 US cities appeared to be using the same product, mapsonline.net, provided by an American company named PeopleGIS. The data of these municipalities was stored in several misconfigured Amazon S3 buckets that were sharing similar naming conventions to MapsOnline. Due to this, we believe these cities are using the same software solution. Our team reached out to the company and the buckets have since been secured.

PeopleGIS is a Massachusetts-based company specializing in information management software. Many city municipalities in the state of Massachusetts and a few in surrounding states like Connecticut and New Hampshire use their software and platforms to manage a variety of data.

Our scanner revealed 114 Amazon Buckets that were named after the same pattern, revealing the connection to PeopleGIS. Among these, 28 appeared to be properly configured (meaning they weren’t accessible), and 86 were accessible without any password nor encryption.

This means there are 3 options:

  • PeopleGIS created and handed over the buckets to their customers (all municipalities), and some of them made sure these were properly configured;
  • The buckets were created and configured by different employees at PeopleGIS, and there were no clear guidelines regarding the configuration of these buckets;
  • The Municipalities created the buckets themselves, with PeopleGIS guidelines about the naming format but without any guidelines regarding the configuration, which would explain the difference between the municipalities whose employees knew about it or not.

What Data Was Left Vulnerable?

Our team of ethical cybersecurity researchers discovered over 80 misconfigured Amazon S3 buckets holding data related to these municipalities, totalling over 1000 GB of data and over 1.6 million files. The type of files exposed varied by municipality. This variance and the number of municipalities involved means there was no way to give a clear estimate of the number of people left vulnerable in this breach.

Real Estate Tax Bill

Pictured: Example of Leaked Documents: Real Estate Tax Bill. Sensitive information redacted.

The type of documents exposed includes business licenses, residential records such as deeds, tax information, and resumes for applicants to government jobs. Information exposed in the breach include (but isn’t limited to):

  • Email address
  • Physical address
  • Phone number
  • Drivers license number
  • Real estate tax information
  • Photographs of individuals (on drivers licenses)
  • Photographs of properties
  • Building and city plans
Example of Leaked Documents: an emergency and hazardous chemical inventory form

Pictured: Example of Leaked Documents: an emergency and hazardous chemical inventory form. Sensitive information redacted.

Some of the vulnerable documents were redacted, but they were digitally redacted using transparent tools like a marker. This means whoever found them could change the contrast level of the document in a photo editor and see the redacted information. This means even documents that were redacted were potentially vulnerable in this breach.

An example of exposed documents: a drivers license

Pictured: An example of exposed documents: a drivers license. Sensitive information redacted.

The breach could lead to massive fraud and theft from citizens of those municipalities. The highly-sensitive nature of the data contained within a local government’s database, from phone numbers to business licenses to tax records, are highly susceptible to exploitation by bad actors. Much of this information is supposed to be only accessible by the government and the citizens, meaning someone could potentially defraud an individual by posing as a government official.

What Are the Risks and How to Protect Yourself

an example of exposed documents: a property registration form

Pictured: an example of exposed documents: a property registration form. Sensitive information redacted.

Identity Theft: The high amount of PIIs (personally identifiable information) and private details exposed in the breach could allow a bad actor to easily pose as someone else and steal their identity. This breach makes identity theft an especially dangerous risk because bad actors are more likely to succeed the more information they have.

Phishing, Frauds & Scams: The large number of financial and confidential records left vulnerable could allow hackers to pose as government officials for the purposes of phishing, defrauding, or scamming citizens.

Theft: Exposed residential information such as house plans, deeds, and owner information could give attackers insight on their targets. They could also use the information in this breach to find more vulnerable prey, such as senior citizens.

File Manipulation: This risk is dependent on how the municipalities use the data in the misconfigured buckets. If the files were simply used for backup storage, there’s little to no risk of property value manipulation. However, if the municipalities actively used the data in these buckets, it could be possible to overwrite the files to manipulate the value of a property, an individual’s tax information, and other methods.

Ransom: Attackers could download files from the bucket storage then wipe it and ransom the data back to the cities.

Unfortunately, the above list is not comprehensive, and cybercriminals are always generating new methods to exploit anyone vulnerable on the Internet.

Though most email clients have methods to block spam and phishing attempts, they are not 100% effective. When receiving an unexpected email from a seemingly trustworthy source, do not open any attachments. Phishing emails often use scare tactics to force users to open the attachment. If you are ever unsure about an email or phone call from an individual claiming to be a government employee, give their department a call. If they did not give a department when contacting you, they are likely not affiliated with the government. This will usually let you verify whether the attachment is legitimate or not.

In the event of a data breach, governments should inform potentially-vulnerable citizens as soon as possible.

Original post at https://www.wizcase.com/blog/us-municipality-breach-report/

About the author: Wizcase Cyber Research Team

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, US municipalities)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment