LA County contractor joins list of cloud users found to have lax security settings
Los Angeles County, the nation’s most populated county, disclosed last week that a nonprofit group that runs its social-services phone hotline stored residents’ personal information on a cloud server that was left accessible to the public.
The exposure, which was first discovered by the cybersecurity firm UpGuard, included 3.5 million call logs and hundreds of thousands of detailed notes, including people’s names, physical addresses and Social Security numbers.
In an article on its website, UpGuard said that its risk team found an Amazon Web Services account labeled “lacounty” that was discoverable thanks to its “S3 bucket” permission settings allowing anyone on the internet to access it. The repository was found to contain records logged by 211 L.A. County, which operates a hotline that connects 10 million residents to a range of services including child care, health care, elder-abuse complaints, disaster preparation, veterans services and support for the homeless.
UpGuard said it discovered the exposed data on March 14 and “began notification efforts immediately.” L.A. County finally responded on April 24 and removed the Amazon file from public view.
The county is hardly alone in this incident. UpGuard has catalogued numerous similar exposures over the past year, including one involving U.S. military data.
It’s unknown if anyone did access 211 L.A. County’s cloud storage and download its contents, but if they had, they would’ve come into possession of six years’ worth of calls to the hotline, along with employees’ email addresses and potentially their passwords — UpGuard said passwords were hidden with a protocol that the cybersecurity industry considers relatively weak.
But the call log contained information given by many of the 500,000 Los Angeles County residents who call the hotline annually. Of the 3.5 million calls exposed, 200,000 resulted in detailed notes. Of those, 33,000 listed a person’s Social Security number.
While the data exposure was the result of a contractor, the county government said it is determining whether any resident’s personal identifying information was accessed or abused as a result.
“The county will be closely monitoring strong assurances from the vendor that it has strengthened its data safeguards, as well as its policies, protocols, processes and oversight to avoid any future exposure of sensitive information,” the county’s chief information officer, Bill Kehoe, told the Los Angeles Times.
It’s not Los Angeles County’s first experience with hundreds of thousands of residents’ information possibly getting out in the open. In December 2016, the county disclosed that more than 100 of its employees fell for a phishing email that exposed the personal information of as many as 750,000 people using county health services.