Pierluigi Paganini October 03, 2023

A misconfiguration in the Metropolitan Transportation Commission (MTC) systems caused a leak of over 26K files, exposing clients’ parking permits and home addresses.

The MTC is a governmental agency responsible for regional transportation planning and financing in the San Francisco Bay Area.

The latest research by Cybernews shows that the agency left public access to Amazon Web Services (AWS) buckets storing over 26,000 files.

Leaked files included PDF files with Bay Area Rapid Transit (BART) carpool parking permits sent out by the agency. The permits were obtained through the 511.org website, an online platform providing transportation information in the Bay Area.

Thousands of leaked permits exposed the users’ full names and home addresses. Our researchers found that the letters are dated between 2016 and 2021.

The researchers contacted MTC, and public access to the data was closed. Cybernews reached out to MTC for an official comment but has yet to hear back from them.

While the leaked parking permits are no longer valid, malicious actors could use the exposed data for identity theft and to craft spear phishing attacks.

If you want to know how MTC can mitigate the potential risks take a look at the original post:

https://cybernews.com/security/san-francisco-mtc-bart-data-leak/

Updated on October 27 [01:15 PM GMT]. The original version of the article incorrectly stated that a misconfiguration in the Metropolitan Transportation Commission (MTC) systems caused a leak of clients‘ vehicle plate numbers. In actuality, among other data, vehicle permit numbers and not vehicle registration numbers were exposed. The headline and the remaining paragraphs were updated to reflect the correct data.

About the author: Paulina Okunytė, Journalist at Cybernews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Metropolitan Transportation Commission )