A significant breach of sensitive information has emerged from a lost and found software provider serving multiple airports across the US, Canada, and Europe. Approximately 820,750 records were discovered unprotected in a database by Jeremiah Fowler, a cybersecurity researcher.
"I recently discovered a single publicly exposed database that was not password-protected or encrypted," said Fowler. The exposed data belonged to Lost and Found Software, a German company specializing in tracking and returning lost items for airports. Fowler’s investigation unveiled a total of 14 databases, ten of which were accessible publicly, revealing a staggering 122 GB of data.
"I recently discovered a single publicly exposed database that was not password-protected or encrypted,"
The leaked records included details on a wide variety of lost items, from personal electronics and bags to antiquities. More troubling were the high-resolution images of identification documents, such as passports and driver's licenses, which raised concerns about potential identity theft. "The most concerning files I saw in the database were a large number of high resolution images of identification documents," Fowler noted.
"The most concerning files I saw in the database were a large number of high resolution images of identification documents,"
By the Numbers
Fowler’s exploration of the database revealed not only lost item reports but also a collection of shipping labels and payment confirmations detailing efforts to return belongings to their owners. Numerous records were filed in folders titled “user image and item image,” suggesting a potential risk for misuse of this personal information.
Race Results
Following his findings, Fowler acted quickly. "I immediately sent a responsible disclosure notice to Lost and Found Software," he reported. The rapid response resulted in access to all identified databases being restricted within hours of Fowler's notification.
"I immediately sent a responsible disclosure notice to Lost and Found Software,"
**Related:** [Epicenter.tech Breach Exposes Enterprise AI Security Gaps](/article/epicenter-tech-breach-exposes-enterprise-ai-security-gaps)
Impact and Legacy
In a follow-up communication, Lost and Found Software identified the breach's cause as improper S3 bucket policy rules, stating, "The issue was caused by incorrect S3 bucket policy rules, which was overridden by ACL settings." It appears that this misconfiguration was isolated to specific S3 Buckets and did not impact their entire internal database.
In response to the urgent notification from Fowler, the company stated, "Thank you for bringing your security research to our attention. We have already taken initial steps to restrict public access to the information and are working on removing access to the specific files that were available until now."
However, questions linger regarding the management and ownership of the compromised database. It remains unclear whether the data was managed directly by Lost and Found Software or if a third-party contractor was responsible. Furthermore, the duration of the exposure and the possibility of unauthorized access before Fowler's discovery is still unknown. Only a thorough internal forensic audit could potentially uncover any previous breaches or suspicious activities.
As cybersecurity incidents continue to rise, the importance of proper database management and configuration cannot be overstated. This event serves as a reminder for organizations that house sensitive personal information to implement rigorous security protocols, including regular audits and proactive monitoring to safeguard against potential breaches.
The fallout from this breach could have lasting impacts on affected individuals, underscoring the need for continued vigilance in cybersecurity practices across various sectors, especially in industries that handle vast amounts of personal data. As Lost and Found Software works to secure their databases, the industry as a whole must reflect and adapt to prevent similar incidents in the future.
