Unsecured AWS server exposed 3TB in airport employee records

An unsecured server exposed sensitive data belonging to airport employees in Colombia and Peru.

ZDNet recommends

The best security key

While strong passwords help secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read more

On Monday, the SafetyDetectives cybersecurity team said the server was owned by Securitas. The Stockholm, Sweden-based company provides on-site guarding, electronic security solutions, enterprise risk management, and fire and security services.

In a report shared with ZDNet, SecurityDetectives said one of Securitas’ AWS S3 buckets was not properly secured, exposing more than a million files to the internet.

The server contained about 3TB of data dating back to 2018, including airport employee records. Although the team was unable to review all of the database records, four airports were named in the exposed files: El Dorado International Airport (COL), Alfonso Bonilla International Airport Aragón (COL), José María Córdova International Airport (COL) and Aeropuerto Internacional Jorge Chávez (PE).

The misconfigured AWS bucket, which required no authentication to access it, contained two main sets of data related to Securitas and airport employees. Among the records were photos of ID cards, personally identifiable information (PII), including names, photos, occupations and national identification numbers.

Additionally, SafetyDetectives says photographs of airline, aircraft, fuel line and baggage handling employees were also found in the bucket. Unstripped .EXIF data from these photographs has been exfiltrated, providing the time and date the photographs were taken as well as some GPS positions.



“Given the strong presence of Securitas throughout Colombia and the rest of Latin America, companies from other sectors could have been exposed,” the researchers explain. “It is also likely that various other locations that use Securitas security services will be affected.”

App IDs listed in mobile apps were also stored in the bucket. The identifiers were used for airport activities, including incident reports, pointing researchers to the likely owner in the first place.

Cybersecurity researchers contacted Securitas on October 28, 2021 and followed up on November 2 after receiving no response. Securitas engaged in a conversation with the team and secured the server the same day. The Swedish CERT has also been informed,

ZDNet has contacted Securitas, and we will update when we have a response.

See also

Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0