All news in category "Incidents and Data Breaches"

Public Exposure of Tetrad Consumer Data Sets in S3

🔓 UpGuard Research discovered a publicly accessible Amazon S3 bucket containing detailed consumer data attributed to Tetrad, including files derived from Experian Mosaic, Claritas/PRIZM, and client-supplied datasets covering over 120 million U.S. household records. The exposure included full names, addresses, gender, Mosaic codes, and retailer account and purchase information. UpGuard notified Tetrad in early February and, after repeated contact, the company removed public access and secured the bucket. The dataset's breadth raises significant privacy and targeted-risk concerns for individuals and communities.

HR Data Exposure: How Employees and Clients Are Affected

🔒 UpGuard’s Cyber Risk Research team discovered and secured a public GitHub exposure containing sensitive employee and customer data belonging to OneHalf, a business process outsourcing firm in the APAC region. The principal artifact was the HRIS project, including a 1.2MB database dump (hrisdb-02012018.sql) with detailed personal records for roughly 250 employees, extensive medical histories, emergency contacts, and 300 usernames with plaintext passwords. A related repo, ohserviceform, listed 28 client companies and plaintext banking account numbers, increasing the risk of financial fraud. UpGuard notified OneHalf and the repositories were secured by August 22, 2018.

Top Secret INSCOM Data Exposed via Public AWS S3 Repository

🔓 On September 27, 2017, UpGuard researcher Chris Vickery discovered an Amazon S3 bucket at the AWS subdomain "inscom" that was publicly accessible and contained 47 entries with three downloadable files. One download, an .ova virtual appliance named "ssdev," included a virtual hard drive with partitions and metadata labeled Top Secret and NOFORN. The exposed assets also contained private keys, hashed passwords, a ReadMe referencing the Pentagon cloud project Red Disk, and a classification-training snapshot. UpGuard notified INSCOM and the repository was promptly secured.

Leakzone Elasticsearch Exposure Reveals Visitor IP Logs

🔎 UpGuard discovered an unauthenticated Elasticsearch index containing roughly 22 million web-request records, of which about 95% referenced leakzone.net. The logs included client IP addresses, destination domains, request sizes, geolocation data and ISP metadata, spanning June 25 to discovery on July 18, with about one million requests per day. Analysis found extensive use of public proxies and clustered VPN exit nodes, alongside many one-off IPs likely representing direct users. The dataset raises privacy and operational concerns for visitors, service operators, and investigators.

111 GB Customer Data Exposure at National Credit Federation

🔓UpGuard discovered 111 GB of internal customer records from National Credit Federation stored in a publicly accessible Amazon S3 bucket, including names, addresses, dates of birth, scanned driver’s licenses and Social Security cards, full bank and credit card numbers, and complete credit reports. The repository contained personalized credit blueprints and videos showing employee access. UpGuard notified the company, which promptly secured the bucket. The case highlights the need for rigorous cloud permission controls and continuous configuration monitoring.

AggregateIQ Files Part Three: Monarch and Saga Tools

🔎 The UpGuard Cyber Risk Team details a public discovery of AggregateIQ repositories that exposed sophisticated political targeting tools. The report highlights project families Monarch and Saga, describing ad-scraping scripts, pixel trackers, and ingestion services that link Facebook ad activity to web behavior. Exposed credentials and AWS assets amplify privacy and oversight concerns.

Misconfigured S3 Exposed Tea Party Campaign Assets Online

🔓 UpGuard disclosed that an Amazon S3 bucket belonging to the Tea Party Patriots Citizens Fund (TPPCF) publicly exposed roughly 2GB of campaign materials and call lists. The files—largely PDFs and images from the 2016 election cycle—contained strategy documents, marketing assets, and call records listing full names, phone numbers and VoterIDs for about 527,000 individuals. Upon notification on October 1, 2018, TPPCF restricted bucket permissions within hours and removed access by October 5. The incident underscores how cloud misconfiguration can turn organizational data into a large-scale privacy breach with political implications.

Public S3 Exposure: LocalBlox Leak of 48M Records Incident

🔓 The UpGuard Cyber Risk Team discovered a publicly accessible AWS S3 bucket containing a 1.2 TB ndjson file with 48 million records belonging to LocalBlox. The dataset included names, addresses, dates of birth, scraped LinkedIn and Facebook content, Twitter handles, and blended data from sources like Zillow. UpGuard notified LocalBlox on February 28, 2018, and the bucket was secured the same day. This exposure highlights the real-world risk of simple cloud misconfigurations.

Long Island Medical Practice Exposed 42,000 Patient Records

🔓 UpGuard discovered a publicly accessible rsync repository exposing medical and personal data tied to Cohen Bergman Klepper Romano MDS PC, a Long Island practice. The repository contained over 42,000 patient records, more than three million medical notes, and physicians’ PII including Social Security numbers. A .pst backup and virtual disk revealed staff home addresses and family details. UpGuard’s notification led to the exposure being secured, underscoring the need for strong access controls and formal disclosure response procedures.

OneHalf Data Exposure Exposes Employee and Client Records

🔒 UpGuard's Cyber Risk Research team discovered and secured a public GitHub-based data exposure belonging to OneHalf, a business process outsourcing firm in the APAC region. The exposed repositories contained HR and medical databases with detailed personal records for hundreds of employees, plus banking account numbers for several corporate clients. UpGuard notified OneHalf and the repositories were taken private, likely preventing further exploitation of sensitive personal and business information.

Spartan Technology Exposed South Carolina Arrest Data

🔒 UpGuard identified an unsecured AWS S3 bucket containing MSSQL backups linked to Spartan Technology, exposing records from 2008–2018. The dataset comprised roughly 60 GB across four backup files and documented about 5.2 million arrest events and approximately 26,000 unique defendants; around 17,000 unique Social Security numbers were present. Victim and witness records included names and phone numbers only. After notification on November 19, 2019, Spartan promptly removed public access and worked with researchers to secure the data.

Leakzone Exposure Reveals 22M Access Log Records and IPs

🔒 UpGuard discovered an unauthenticated Elasticsearch instance exposing roughly 22 million web-request records tied predominantly to Leakzone, a forum for illicit data and hacking tools. The logs contained domains, client IPs, geolocation and ISP metadata, and request sizes spanning late June through the July 2025 discovery. Analysis shows widespread use of public proxies and VPN exit nodes, with much traffic routed through major cloud providers, limiting reliable geolocation.

Top-Secret INSCOM Data Exposed via Public S3 Bucket

🔐 UpGuard discovered a publicly accessible Amazon S3 bucket tied to the United States Army Intelligence and Security Command (INSCOM) that contained clearly classified material, including an Oracle virtual appliance (.ova) with partitions labeled Top Secret and NOFORN. Downloadable artifacts included a plaintext ReadMe referencing the Red Disk cloud platform and a .jar used for intelligence tagging. The exposure also revealed private keys and hashed passwords linked to a third-party contractor. UpGuard notified INSCOM and the bucket was secured to prevent further access.

Neoclinical Database Exposed Sensitive Patient Profiles

🔒 UpGuard disclosed that an unsecured MongoDB instance belonging to Neoclinical, an Australia–New Zealand clinical-trial matching service, exposed a database of 37,170 user profiles. The records included names, contact details, geocoordinates, dates of birth and structured answers to trial-qualification questions that revealed sensitive health information and potential illicit drug use. A researcher found the database on July 1, attempted email and phone contact, escalated to AWS on July 25, and public access was removed on July 26. UpGuard secured the database to prevent further public exposure.

DSCC S3 Misconfiguration Exposed 6.2M Email Addresses

🔓 UpGuard researchers discovered an Amazon S3 bucket tied to the Democratic Senatorial Campaign Committee exposing a 145MB zip file that contained a CSV of roughly 6.2 million email addresses. The unprotected bucket granted global authenticated FULL_CONTROL, allowing anyone with a free AWS account to access or modify contents. The file, last modified in 2010 and named EmailExcludeClinton.csv, appears to be an exclusion list and includes consumer, .edu, .gov, and .mil domains. UpGuard notified DSCC and the bucket was secured the following day.

AggregateIQ Code Leak Exposes Political Targeting Tools

🔓 UpGuard disclosed that a large GitLab repository belonging to AggregateIQ was publicly accessible, exposing source code, configuration files, and numerous credentials. The leak included applications and tools — notably projects named Ripon_canvas and Ripon_dialer — designed to manage voter databases, microtargeting, canvassing, and automated outreach. Credentials for Facebook apps, Twilio, AWS, and other services were present, raising the risk of account takeover and large-scale data harvesting. UpGuard linked the repository to work for US campaigns and reported ties to Cambridge Analytica, with further technical analysis promised in subsequent reports.

Viacom Cloud Leak Exposes AWS Keys and Puppet Data

🔒 An UpGuard researcher discovered a publicly accessible Amazon S3 bucket exposing Viacom’s internal provisioning and cloud credentials. The archive—found under the subdomain "mcs-puppet"—contained seventy-two incremental .tgz backups with Puppet manifests, configuration files, GPG decryption keys and the AWS access key and secret. Viacom was notified on August 31, 2017 and the exposed buckets were secured within hours, preventing active compromise.

Amazon Engineer Exposed Credentials in Public GitHub Repo

⚠️ UpGuard identified on 13 January 2020 a public GitHub repository containing sensitive material tied to an Amazon Web Services engineer. The repo, roughly 954 MB when downloaded, included personal identity documents, bank statements, log files, AWS key pairs (including a file labeled rootkey.csv), private keys, passwords and third-party API tokens. UpGuard analysts detected the exposure within half an hour, notified AWS Security early that afternoon, and the repository was taken out of public view the same day. Rapid detection and remediation appear to have prevented escalation; there is no evidence of malicious intent or end-user data compromise.

Open Enrollment: HCL Exposed Passwords and Projects

🔓 During a routine data-leak investigation, UpGuard researchers discovered multiple publicly accessible HCL web pages that exposed employee records, plaintext passwords for new hires, and detailed project installation reports. The exposed assets spanned HR dashboards, a SmartManage reporting interface, and recruitment/admin panels across several subdomains. After notifying HCL’s Data Protection Officer, the researcher confirmed that the publicly accessible pages were secured. The incident highlights how inconsistent access controls across applications can cause significant risk.

LA County 211 Data Leak Exposes Sensitive Call Records

⚠️ UpGuard disclosed a public data exposure affecting the Los Angeles County 211 helpline. An Amazon Web Services S3 bucket was configured for public access and contained database backups and CSV exports, including a 1.3GB t_contact export with records from 2010–2016. Exposed items included credentials (384 users, MD5-hashed passwords), contact lists, and over 200,000 detailed call notes describing abuse, suicidal ideation, addresses, phone numbers, and 33,000 Social Security numbers. After notification in March–April 2018 the bucket was secured within 24 hours, but the incident highlights critical cloud misconfiguration risks.