Whether it’s critical corporate data or students’ information, threat actors often misuse sensitive data obtained from security data breaches. Recently, security researchers from threat intelligence firm WizCase uncovered a massive data breach affecting a misconfigured Amazon S3 bucket owned by SeniorAdvisor. The company provides consumer ratings and reviews for senior care services across the U.S. and Canada.
The unsecured bucket contained over a million files, accounting for 182 GB of data belonging to three million senior citizens. The exposed information included users’ personally identifiable information (PII), including surnames, phone numbers, emails, and dates contacted. Most of the data exposed were in the form of leads (potential customers) collected by SeniorAdvisor, probably via email or telemarketing campaigns. The misconfigured database is now secured after WizCase researchers reported the issue to SeniorAdvisor.
WizCase researchers said, “Our security team found around 2,000 scrubbed reviews. These are reviews where the user’s sensitive information has been wiped or redacted. However, this scrubbing process is useless if you have the corresponding information. The scrubbed reviews had a lead id which could be used to trace the review back to who originally wrote it. Since the lead data and these scrubbed reviews were in the same database, supposedly anonymous reviewers could have their identity revealed with a simple search operation.”
Risks Involved
The data breach left senior citizens’ data vulnerable to various attacks. Elderly users are more prone to fall victim to phishing, social engineering, and other digital scams. According to a report from the FBI, cyberattacks on senior people have been increasing exponentially. The major cybercrimes against elders include extortion, personal data breach, tech support fraud, confidential fraud, dating scams, real estate, and social media frauds.
Earlier, the U.S. Department of Justice (DoJ) issued a fraud alert asking people to be vigilant when providing sensitive information over the phone. The agency stated that cybercriminals were falsely represented themselves as DOJ authorities to obtain personal information from the call recipients as part of imposter scams.
