The target: TronicsXhange, a California-based electronics retailer
The take: 80,000 images of personal identification cards and 10,000 fingerprint scans. Information included: driver license number, full name, birthday, home address, gender, hair and eye color, height and weight, and a photo of the individual.
The attack vector: The breach occurred when an unsecured Amazon S3 bucket was discovered online even after the company had ended its operation. The database was connected with no password protection meaning anyone who found the correct URL could access and freely download the data.
The breach is serious as the sensitive information stored could lead to severe cases of fraud. Asset management is a critical procedure for any company, and the fact that this server was kept online even after the company had supposedly closed its doors for business highlights the extreme importance of proper decommissioning procedures to ensure sensitive information is securely destroyed or taken offline.