A US medical training school exposed the personally identifiable information (PII) of thousands of students.
On Wednesday, vpnMentor published a report on the security incident, in which an unsecured bucket was left exposed online.
The server, which did not have authentication controls in place and was, therefore, accessible by anyone to view, contained 157GB of data, or just under an estimated 200,000 files.
After discovering the open system, the researchers traced the owner as Phlebotomy Training Specialists. The LA-based organization offers phlebotomy certification and courses in states including Arizona, Michigan, Texas, Utah, and California.
According to vpnMentor, the records contained within were backed up from September 2020, but some were created before this time.
The unsecured Amazon S3 bucket contained a variety of PII including ID card and driver license copies, as well as CVs, revealing names, dates of birth, genders, photos of students, home addresses, phone numbers, email addresses, and both professional and educational summaries.
In addition, over 27,000 tracking forms were found that in some cases contained the last four digits of Social Security numbers, as well as student transcripts and training certificate scans.
vpnMentor’s team, led by Noam Rotem and Ran