[BreachExchange] Oh buoy. Rich yacht bods' job agency leaves 17, 000 sailors' details exposed in AWS bucket

Destry Winant destry at riskbasedsecurity.com
Wed Feb 5 10:12:16 EST 2020


https://www.theregister.co.uk/2020/02/04/crew_and_concierge_data_breach/

A private yacht crew recruitment agency has left an AWS bucket
containing the CVs, passports and even some drug test results for up
to 17,000 people exposed to world+dog, according to reports.

Crew & Concierge – a Bath-based jobs firm that targets "high net worth
individuals", yacht captains and management companies searching for
seafarers to crew private yachts – left an AWS S3 bucket open to
anyone and everyone for around 11 months starting in February 2019.

British news site Verdict reported that 17,379 seafarers' CVs were
exposed, along with thousands of ENG1 medical certificates and
passport scans.

A total of 90,000 files were exposed, it was said, including sample
menus from chefs hoping to fill a billet aboard some oligarch's
floating gin palace.

In a statement to Verdict, Crew & Concierge director Sara Duncan
blamed "the team of developers we had hired" for the bucket being left
open, saying she had trusted the devs to "do a competent job" of
securing "personal and sensitive personal information relating to our
registered crew".

The breach has been reported to the Information Commissioner's Office,
as required by the Data Protection Act 2018.

Duncan continued, saying: "It appears likely that the individual or
individuals responsible have developed advanced tools designed
specifically to identify AWS customers and whether or not they have
[a] misconfigured instance that may leave it open to malicious
attack."

Such so-called "advanced tools" include the search engine Gray Hat
Warfare, which does for AWS buckets what Shodan does for IoT devices
carelessly and inappropriately left accessible by the public.

A few weeks ago Britain's Royal Yachting Association (RYA) 'fessed up
to a breach of its member database circa 2015. The two incidents are
not thought to be linked, in particular because the RYA identified
malicious access to the database in question whereas Crew & Concierge
left the door to its digital stables wide open.


More information about the BreachExchange mailing list