Securitas AB, a Sweden-based multinational security and investigation service provider has been discovered exposing sensitive data belonging to airport employees across Colombia and Peru. Earlier this week, researchers at SafetyDetectives uncovered a whopping 3 terabytes of data containing over 1.5 million files, thanks to one of its misconfigured Amazon S3 servers.
According to researchers, Securitas's AWS S3 buckets were not appropriately secured and contained approximately 3TB of data dating back to 2018, including airport employee records. While the researchers were was not able to examine every record in the database, four airports were named in leaked files: El Dorado International Airport (COL), Alfonso Bonilla Aragón International Airport (COL), José María Córdova International Airport (COL), and Aeropuerto Internacional Jorge Chávez (PE).
The misconfigured AWS bucket, which did not require any authentication to access, contained two main datasets related to Securitas and airport employees. These included photos of ID cards and unmarked photos. The ID card photo displayed PII information of employees such as:
• Full names
• Occupations
• National ID Number
• Employee photos on the ID card.
The second set of unmarked photos contained the most sensitive data belonging to airports, employees, and associated companies including photos of planes, photos of employees, photos of employees loading and unloading luggage. Unstripped.EXIF data in these photographs was exfiltrated, providing the time and date the photographs were taken as well as some GPS locations.
"Considering Securitas' strong presence throughout Colombia and the rest of Latin America, companies in other industries could have been exposed," the researchers say. "It's also probable that various other places that use Securitas' security services are affected. Criminals could even use leaked data to create counterfeit ID cards and badges. A criminal could further strengthen their appearance as a legitimate employee by downloading leaked mobile apps.”
Additionally, application IDs listed within mobile apps were stored in the sever. The IDs were used for airport activities, including incident reports, pointing the researchers to the likely owner in the first place.
The SafetyDetectives team reported the data leak to Securitas on October 28, 2021, and followed up on November 2 after receiving no response. Securitas engaged in a conversation with the team and secured the server on the same day.