Tens of thousands of medical school records found on misconfigured cloud storage

A U.S. medical school has been found to be exposing tens of thousands of student records online in the latest case of misconfigured cloud storage.

Discovered and detailed today by Noam Rotem and Ran Locar at vpnMentor, the breach involved data that belonged to Phlebotomy Training Specialists. Phlebotomy is the process of using a needle to take blood for a vein, with the company pitching itself as focusing on giving students real-world knowledge that can’t be gained from a book alone.

The student data was found on a single, open Amazon Web Services Inc. S3 storage bucket. The 157 gigabytes of student data covered an estimated 27,000 to 50,000 students and included personally identifiable information, national ID cards, academic records and more.

The vpnMentor researchers discovered the data on Sept. 4, then contacted the company three times, Sept. 7, 8 and 15, with no response. They then followed up by contacting Amazon on Sept. 15, then USA-CERT on Sept. 20. The data was taken offline between Oct. 8-11.

As with all such data exposures, the records being open to all sundry exposes the school’s students to identity theft, phishing and various forms of fraud.

“Educational institutions entrusted with the collection and storage of sensitive, personally identifiable information must be proactive in their approach to security posture management,” Pravin Rasiah, vice president of product at cyber asset management company CloudSphere, told SiliconANGLE. “Leaving troves of data exposed without even basic password protection is an all-too-common example of misconfiguration in cloud environments.”

Although in this instance ethical security researchers discovered the leak, Rasiah noted that cybercriminals are constantly searching for exactly this type of exposure to harvest and exploit sensitive data.

“The healthcare and education industries continue to be a top target for cybercriminals who find new ways to obtain the endless sensitive patient and student information due to the organization’s requirements to store this data,” explained Troy Gill, senior manager of threat intelligence at Zix Corp.’s AppRiver. “This is a great reminder for organizations to examine their security solutions and evaluate their current authentication practices to ensure they are building the safest habits to protect themselves and sensitive data that they store from bad actors.”

Photo: Phlebotomy Training Specialists