All news with #pii tag

Google rolls out age assurance to protect U.S. youth

🛡️ Over the coming weeks Google will begin a limited U.S. rollout of age assurance, a system designed to distinguish users under 18 from adults and apply age-appropriate protections across its products. For accounts identified as minors Google will enable defaults such as YouTube Digital Wellbeing tools, disable Maps Timeline, turn off personalized advertising, and block adult-only apps on Google Play. The approach combines machine-learning age estimation based on existing account signals with optional age verification — including a government ID or a selfie — when users dispute their estimated age, and Google will notify users and provide options for adult verification.

Spartan Technology S3 Exposure of South Carolina Arrests

🔒 UpGuard Research discovered a publicly accessible AWS S3 bucket containing roughly 60 GB of MSSQL backups uploaded by a Spartan Technology employee, exposing South Carolina justice-system records spanning 2008–2018. The dataset included about 5.2 million arrest-event rows, tens of millions of related records, and sensitive PII such as names, dates of birth, driver’s license numbers and roughly 17,000 Social Security numbers. Permissions included the "AuthenticatedUsers" group, enabling broad access; Spartan removed public access the same day after notification.

Medico Inc. S3 Misconfiguration Exposes Patient Data

🔓 Medico Inc. left an Amazon S3 bucket publicly accessible, exposing nearly 14,000 documents (approximately 1.7GB) that included medical records, insurance claims, legal files, and internal business data. The UpGuard Data Breach Research Team discovered the bucket on June 20, 2019, and Medico closed it within hours after notification. The dataset contained unredacted PII such as SSNs, bank account numbers, and payment card data, and also included plaintext credentials that could enable further compromise.

AggregateIQ Repositories Expose Multiple Brexit Sites

📂 UpGuard's analysis of exposed development repositories from AggregateIQ details source code, backups, and credentials tied to multiple pro-Brexit organizations. The findings show WordPress backups, API keys, Stripe secrets, and scripts used to build and contact supporter lists, with administrative accounts linking AIQ staff to sites such as Vote Leave, Change Britain, and the DUP. Misuse of the exposed assets could have allowed large-scale data access or payment compromise.

HCL Exposed New-Hire Passwords and Project Reports

🔓 In May 2019 UpGuard researchers discovered publicly accessible HCL pages that exposed personal information, plaintext passwords for new hires, and detailed project reports. The data was dispersed across multiple subdomains and web UIs, including HR dashboards, recruiting approval panels, and a SmartManage reporting interface. After notifying HCL's Data Protection Officer, the researcher confirmed the anonymous-access pages were taken offline within days. The incident underscores the risk of misconfigured application pages and the importance of clear reporting channels and prompt incident response.

LA County 211 Data Exposure: Emergency Call Records

🔒 The UpGuard Cyber Risk Team discovered an Amazon S3 bucket for LA County 211 that was publicly accessible and contained Postgres backups and CSV exports with sensitive data. A 1.3GB t_contact export included millions of records, roughly 200,000 detailed call notes and 33,000 Social Security numbers, alongside 384 user accounts with MD5-hashed passwords. The exposure dated from 2010–2016; UpGuard notified the service in March–April 2018 and confirmed the bucket was closed within 24 hours of contact.

Robotics Vendor Exposed Sensitive Manufacturing Data

🔓 Level One Robotics left 157 GB of sensitive customer, employee, and corporate files accessible via an unrestricted rsync server, exposing CAD drawings, factory layouts, robotic configurations, NDAs, identity documents, and banking records for over 100 manufacturing clients. UpGuard discovered the exposure on July 1, 2018 and began outreach on July 5; after contact on July 9, Level One remediated the server by July 10. The incident underscores third- and fourth-party supply-chain risk and the need to restrict file-transfer services by IP and authentication, enforce vendor security standards, and maintain rapid exposure-response procedures.

Public S3 Exposure Reveals Sensitive Customer Data at NCF

🔓 On October 3, 2017 UpGuard researcher Chris Vickery discovered a publicly accessible Amazon S3 bucket belonging to National Credit Federation containing 111 GB of internal and customer records. The repository included scanned IDs, Social Security card images, full credit reports from Equifax, Experian, and TransUnion, personalized credit blueprints, and full bank and card numbers. National Credit Federation secured the bucket after notification and UpGuard found no evidence of theft in this report. The case underscores the necessity of validating cloud storage permissions and continuously monitoring third-party risk.

Election Systems & Software Exposed 1.8M Chicago Voters

🔓The database of Omaha-based voting machine vendor Election Systems & Software was left publicly accessible on an Amazon S3 bucket, exposing records for 1.864 million Chicago voters. The exposed MSSQL backups included names, addresses, dates of birth, phone numbers, driver’s license numbers and the last four digits of Social Security numbers. UpGuard discovered the open bucket on Aug 11, 2017 and notified ES&S, which closed access the next day.

Medcall S3 Misconfiguration Exposed Medical Records

🔓 UpGuard disclosed that an unsecured Medcall Healthcare Advisors Amazon S3 bucket exposed roughly 7 GB of sensitive information, including PDF intake forms, CSV files containing full Social Security numbers, and 715 recorded patient-doctor and operator calls. The bucket was publicly readable and writable with an 'Everyone - Full Control' ACL and was taken offline after UpGuard notified Medcall. The case underscores the danger of vendor misconfiguration and third-party exposure of protected health information.

AggregateIQ: Exposed Targeting Tools 'Monarch' and Saga

🔍 AggregateIQ's public repository exposed sophisticated ad and tracking tools linked to political campaigns. The Saga suite automates Facebook ad scraping, performance reconciliation, and asset backup, while Monarch provides pixel-based tracking (Jewel, Peasant) and a microservice stack (Peon) for event ingestion and enrichment. The codebase included credentials and configs enabling fine-grained targeting, though working user datasets were not present. The exposure raises significant privacy and electoral concerns.

111 GB Customer Data Exposure at National Credit Federation

🔓UpGuard discovered 111 GB of internal customer records from National Credit Federation stored in a publicly accessible Amazon S3 bucket, including names, addresses, dates of birth, scanned driver’s licenses and Social Security cards, full bank and credit card numbers, and complete credit reports. The repository contained personalized credit blueprints and videos showing employee access. UpGuard notified the company, which promptly secured the bucket. The case highlights the need for rigorous cloud permission controls and continuous configuration monitoring.

LocalBlox S3 Misconfiguration Exposes 48M Records Publicly

🔓 UpGuard discovered an Amazon S3 bucket owned by LocalBlox that was publicly accessible, exposing a 1.2 TB ndjson archive containing approximately 48 million personal profiles. The dataset aggregated names, addresses, dates of birth, scraped LinkedIn and Facebook content, Twitter handles, and other identifiers used to build psychographic profiles. UpGuard notified LocalBlox and the bucket was secured on February 28, 2018. The incident highlights how a simple cloud misconfiguration can compromise consumer privacy and enable targeted influence at scale.

AggregateIQ Files Part Three: Monarch and Saga Tools

🔎 The UpGuard Cyber Risk Team details a public discovery of AggregateIQ repositories that exposed sophisticated political targeting tools. The report highlights project families Monarch and Saga, describing ad-scraping scripts, pixel trackers, and ingestion services that link Facebook ad activity to web behavior. Exposed credentials and AWS assets amplify privacy and oversight concerns.

Misconfigured S3 Exposed Tea Party Campaign Assets Online

🔓 UpGuard disclosed that an Amazon S3 bucket belonging to the Tea Party Patriots Citizens Fund (TPPCF) publicly exposed roughly 2GB of campaign materials and call lists. The files—largely PDFs and images from the 2016 election cycle—contained strategy documents, marketing assets, and call records listing full names, phone numbers and VoterIDs for about 527,000 individuals. Upon notification on October 1, 2018, TPPCF restricted bucket permissions within hours and removed access by October 5. The incident underscores how cloud misconfiguration can turn organizational data into a large-scale privacy breach with political implications.

Public S3 Exposure: LocalBlox Leak of 48M Records Incident

🔓 The UpGuard Cyber Risk Team discovered a publicly accessible AWS S3 bucket containing a 1.2 TB ndjson file with 48 million records belonging to LocalBlox. The dataset included names, addresses, dates of birth, scraped LinkedIn and Facebook content, Twitter handles, and blended data from sources like Zillow. UpGuard notified LocalBlox on February 28, 2018, and the bucket was secured the same day. This exposure highlights the real-world risk of simple cloud misconfigurations.

OneHalf Data Exposure Exposes Employee and Client Records

🔒 UpGuard's Cyber Risk Research team discovered and secured a public GitHub-based data exposure belonging to OneHalf, a business process outsourcing firm in the APAC region. The exposed repositories contained HR and medical databases with detailed personal records for hundreds of employees, plus banking account numbers for several corporate clients. UpGuard notified OneHalf and the repositories were taken private, likely preventing further exploitation of sensitive personal and business information.

Spartan Technology Exposed South Carolina Arrest Data

🔒 UpGuard identified an unsecured AWS S3 bucket containing MSSQL backups linked to Spartan Technology, exposing records from 2008–2018. The dataset comprised roughly 60 GB across four backup files and documented about 5.2 million arrest events and approximately 26,000 unique defendants; around 17,000 unique Social Security numbers were present. Victim and witness records included names and phone numbers only. After notification on November 19, 2019, Spartan promptly removed public access and worked with researchers to secure the data.

Marketing PR Platform Exposed Data of Hundreds of Thousands

🔓 UpGuard identified an Amazon S3 bucket tied to iPR Software that publicly exposed over a terabyte of files, including a 17 GB MongoDB backup. The collection contained 477,000 media contacts, approximately 35,000 hashed passwords, client marketing assets, internal PR strategy documents, and credentials for Google, Twitter, and a MongoDB host. UpGuard notified iPR in October 2019; public access was removed in late November after follow-up and media engagement.

Open rsync Repository Exposes 42,000+ Patients' Records

🔒 UpGuard discovered a publicly accessible rsync repository tied to Cohen Bergman Klepper Romano Mds PC that exposed records for more than 42,000 patients and over three million medical notes. The exposed data included patient and physician names, Social Security numbers, dates of birth, phone numbers, email and insurance information, along with an Outlook .pst and a virtual hard drive containing staff home addresses and family details. UpGuard notified the affected parties and Accenture, and the repository was secured after follow-up, underscoring failures in basic access controls and the need for faster remediation.