Over 80 US Municipalities’ Sensitive Info Left Vulnerable

  • Written by Cyber Research Team WizCase

WizCase’s team of ethical hackers, led by Ata Hakçıl, has found a major breach exposing a number of US cities, all of them using the same web service provider aimed at municipalities. This breach compromised citizens’ physical addresses, phone numbers, IDs, tax documents, and more. Due to the large number and various types of unique documents, it is difficult to estimate the number of people exposed in this breach. There was no need for a password or login credentials to access this information, and the data was not encrypted.

What’s Happening?

PeopleGIS is a Massachusetts-based company specializing in information management software. Many city municipalities in the state of Massachusetts and a few in surrounding states like Connecticut and New Hampshire use their software and platforms to manage a variety of data.

This means there are 3 options:

  • PeopleGIS created and handed over the buckets to their customers (all municipalities), and some of them made sure these were properly configured;
  • The buckets were created and configured by different employees at PeopleGIS, and there were no clear guidelines regarding the configuration of these buckets;
  • The Municipalities created the buckets themselves, with PeopleGIS guidelines about the naming format but without any guidelines regarding the configuration, which would explain the difference between the municipalities whose employees knew about it or not.

What Data Was Left Vulnerable?

Real Estate Tax Bill - 1

The type of documents exposed includes business licenses, residential records such as deeds, tax information, and resumes for applicants to government jobs. Information exposed in the breach include (but isn’t limited to):

  • Email address
  • Physical address
  • Phone number
  • Drivers license number
  • Real estate tax information
  • Photographs of individuals (on drivers licenses)
  • Photographs of properties
  • Building and city plans
Example of Leaked Documents: an emergency and hazardous chemical inventory form - 2

Some of the vulnerable documents were redacted, but they were digitally redacted using transparent tools like a marker. This means whoever found them could change the contrast level of the document in a photo editor and see the redacted information. This means even documents that were redacted were potentially vulnerable in this breach.

An example of exposed documents: a drivers license - 3

The breach could lead to massive fraud and theft from citizens of those municipalities. The highly-sensitive nature of the data contained within a local government’s database, from phone numbers to business licenses to tax records, are highly susceptible to exploitation by bad actors. Much of this information is supposed to be only accessible by the government and the citizens, meaning someone could potentially defraud an individual by posing as a government official.

What Are the Risks and How to Protect Yourself

an example of exposed documents: a property registration form - 4

Identity Theft: The high amount of PIIs (personally identifiable information) and private details exposed in the breach could allow a bad actor to easily pose as someone else and steal their identity. This breach makes identity theft an especially dangerous risk because bad actors are more likely to succeed the more information they have.

Phishing, Frauds & Scams: The large number of financial and confidential records left vulnerable could allow hackers to pose as government officials for the purposes of phishing, defrauding, or scamming citizens.

Theft: Exposed residential information such as house plans, deeds, and owner information could give attackers insight on their targets. They could also use the information in this breach to find more vulnerable prey, such as senior citizens.

File Manipulation: This risk is dependent on how the municipalities use the data in the misconfigured buckets. If the files were simply used for backup storage, there’s little to no risk of property value manipulation. However, if the municipalities actively used the data in these buckets, it could be possible to overwrite the files to manipulate the value of a property, an individual’s tax information, and other methods.

Ransom: Attackers could download files from the bucket storage then wipe it and ransom the data back to the cities.

Unfortunately, the above list is not comprehensive, and cybercriminals are always generating new methods to exploit anyone vulnerable on the Internet.

In the event of a data breach, governments should inform potentially-vulnerable citizens as soon as possible.

Why Should I Trust WizCase?

WizCase is a widely popular web security platform offering advice and tips for thousands of readers every week. Translated into over 30 languages, our website has gained the trust of a wide number of people worldwide. I frequently come across fresh instances of data breaches online and reach out to the respective companies before releasing any reports. We have found leaks and breaches affecting many different companies from news websites , to popular dating apps , and to the medical industry . Together, we’re working hard towards creating a safer online environment for everyone.