Securitas misconfiguration exposed airport employee info

From SafetyDetectives:

The SafetyDetectives cybersecurity team discovered a critical data leak affecting the prominent multinational security company, Securitas…. One of the company’s Amazon S3 buckets was left open, exposing over 1 million files. The data we observed related to airport employees from different sites across Colombia and Peru, and there could be entities from other nations with exposed data on the bucket.

According to their report, the misconfigured bucket was discovered on October 28, 2021. The contents of the bucket dated back to November, 2018, but it was not clear for how long the bucket had been exposed and whether others had accessed it.

We sent a responsible disclosure of the data exposure to Securitas on October 28th, 2021. Securitas replied a day later, telling us to disclose the breach to a different company email address (which we did on the same day). On November 1st, 2021, we sent a follow-up message to Securitas as the bucket was still unsecured, and we also disclosed the breach to the Swedish CERT.

Securitas replied on November 2nd, 2021, and the open AWS S3 bucket was secured. The Swedish CERT also replied on this day, though, their message came after Securitas had closed the bucket.

Will Securitas be making notifications to regulators or employees under the GDPR? sent an email to Securitas’s press office yesterday with several questions about this incident and their response. No reply has been received by the time of this publication.

About the author: Dissent

Comments are closed.