Insecure Amazon S3 Bucket Exposed Personal Data on 500,000 Ghanaian Graduates
Cloud storage misconfiguration left sensitive data openly accessible.
Authorities in Ghana are investigating an apparent data breach that may have exposed the personal information of hundreds of thousands of citizens of the west African country.
Researchers at vpnMentor say they discovered a trove of unencrypted data tied to Ghana's National Service Secretariate (NSS) in a storage silo from Amazon Web Services (AWS).
NSS administers mandatory one-year public services programs that are compulsory for most Ghanaian graduates and involve thousands of young people working in sectors such as healthcare and education for 12 months as a form of national service.
Some of the three million files related to NSS's work and held on an AWS S3 bucket were password protected but many were not – an oversight that exposed data of an estimated 500,000-600,000 people from March 2018 to the end of 2021, vpnMentor said.
Cloud storage misconfiguration
The AWS S3 bucket itself was neither encrypted nor password protected. The instance was misconfigured, and password protection was applied inconsistently so that open versions of sensitive passwords-protected files were accessible in other directories, vpnMentor reports.
The exposed information potentially left thousands of Ghanaians at a greater risk of phishing, tax fraud and other forms of identity fraud.
Açığa çıkan bilgiler potansiyel olarak binlerce Ganalıyı Phishing , vergi sahtekarlığı ve diğer kimlik sahtekarlığı biçimlerine karşı daha büyük bir risk altında bıraktı .
Researchers from vpnMentor said that many of the documents contained the NSS logo and text directly related to the scheme.
The incident (along with suggested remediation advice) was reported both to NSS and Ghana’s Computer Emergency Response Team (GH-CERT).
The Daily Swig approached GH-CERT for comment on the incident. In response, GH-CERT confirmed the alleged breach was under investigation:
The report which you referred is under investigations with relevant bodies.
Consistent with operational procedures and best practices, the Cyber Security Authority cannot comment on matters under investigations [sic].
VpnMentor first discovered the alleged breach on September 29, notifying authorities on October 6 at the start of a somewhat protracted disclosure process.
Sign up for the e-mail list to be informed about the developments in the cyber world and to be informed about the weekly newsletter.