An online company that allows Americans to obtain birth/death certificates has been hit by a leak of information. More than 752,000 copies of birth certificates have been found in amazon Web Services (AWS) stores, and 90,400 death certificate applications have been found, but cannot be accessed or downloaded.
The repository is not password protected and anyone can access the data through a very easy-to-guess URL. Although the application process varies from state to state in the United States, it does the same task: to allow Americans to apply to the state’s record-keeping agency, usually the state health department, for a copy of their history. The application we review contains the applicant’s name, date of birth, current home address, email address, telephone number and historical personal information, including past address, family member’s name and reason for applying (e.g. applying for a passport) or studying family history.
Based on a survey of the data, it was found that these applications date back as early as the end of 2017 and that the repository is updated on a daily basis. In just one week, the company added nearly 9,000 application records to the repository. Fidus Information Security, a UK-based penetration testing company, found the exposed data. TechCrunch validates the data by matching names and addresses to public records.
Media have contacted local data protection authorities to warn of security breaches, but it did not immediately comment.