OAKLAND, Calif. — Jessica Arcuri, a restaurant hostess from California, was looking for some extra cash a couple of years ago when she came across a pet-sitting app called PetBacker.
The app invites pet lovers to step forward as paid short-term caretakers of dogs and cats. Based in Malaysia, it serves thousands of customers across 40 countries.
As part of the signup process, Arcuri submitted a government-issued identification document: a copy of her state driver’s license, which contained her full name, home address and birthday. Security experts resoundingly agree that companies should treat personal information with the utmost of care, and only request IDs for a specific purpose, such as a background check. But NBC News found Arcuri’s driver’s license online with no security safeguards whatsoever. When contacted by a reporter, she was alarmed by the news.
“I didn’t even remember that that app had my ID — that’s just crazy,” said Arcuri, 23, of Lakewood. “The fact that you were able to find it is concerning.”
Arcuri is one of the millions of people who have had their personal identifiable information exposed through online file storage systems called “cloud buckets.” The digital equivalent of a safety deposit box, they house data placed in networks of remote servers — what’s known as the cloud.
Placing reams of data in the cloud offers companies the ability to offload its security to a big firm like Google, Apple, Amazon or Microsoft. But the buckets themselves are configured, not by the Googles and Apples of the world, but by the companies who use their cloud networks.
As Arcuri learned the hard way, some companies are placing this sensitive information in buckets not properly secured, a potential bonanza for tech-savvy identity thieves. Cases like these, experts say, show that companies don’t need to be hacked to put customer data at risk.
“Users don’t know what companies are doing with their data,” said Jason Schorr, chief operating officer of Spyglass Security, a firm that has developed one of several tools on the market for documenting and identifying exposed data in the cloud. “They have no idea.”
NBC News scoured online cloud buckets with the help of Schorr and found a trove of sensitive data: images of ID cards, near-nude photos, résumés with contact information.
One used by HelloTech, a company that provides in-home IT services nationwide, contained thousands of unprotected identity documents belonging to its technicians. The bucket was also filled with images of IT setups inside customers’ homes.
Among the easy-to-access passports and driver’s licenses was one belonging to Harlan Laskey, an Ohio man who briefly worked years ago for Geekatoo, a company thatmerged with Hellotech in 2016.
“It’s definitely disconcerting, it’s not a good feeling at all,” said Laskey.
“The possibilities are endless for someone who gets a hold of that who has nefarious purposes,” Laskey added. “If you found it on the open web that speaks for itself.”
HelloTech CEO Greg Steiner said in an interview that the data “should never have been exposed publicly,” adding that his company would work to lock it down.
“We have no reason to believe that any information was exploited,” he said in a follow-up email. “We are reviewing and strengthening our security controls.”
Byers Market Newsletter
Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.
The bucket used by PetBacker contained drivers’ licenses and other sensitive documents from users based in a host of countries, including the U.S., the Czech Republic, the Philippines, the United Kingdom, Malaysia and Australia.
In an interview, PetBacker co-founder Edward Khoo said the company was unaware that the identity documents were made publicly available. He expressed gratitude for being alerted to the security flaw.
“We take this very seriously,” he said.
In an interview three weeks later, Khoo said that the problem stemmed from users submitting identity documents via the app’s support chat function. “The main problem here was the process of having the chats not being secured,” he said. “It seems we could improve on that.”
In one bucket used by a real estate answering services company, NBC News found millions of voicemails, mostly apartment inquiries and maintenance requests, that included the caller’s name and cell phone number. Among the messages was one from a police officer trying to get into a building in New Castle County, Delaware to serve a warrant and another from a South Carolina woman complaining about what she said was a mistaken eviction notice.
The company that uses the bucket, Activ, did not respond to repeated attempts for comment over several weeks. But on December 12, a company spokesman said in an email that Activ “investigated immediately and resolved the situation within 45 minutes.”
“Thank you for bringing this to our attention,” added the spokesman, Jason Mudd.
An unprotected cloud bucket used by an app called Cluster, which advertises itself as “private group sharing with friends and family,” contained 6.4 million photos, including images of children at school, a woman in a bikini, a passport belonging to a British baby and professional pornography.
Cluster’s data was available until late on November 26, after NBC News contacted Brenden Mulligan, the company’s former CEO and current adviser. Cluster did not respond to a request for comment but has changed the settings on their cloud storage.
In all, NBC News gained access to 20 unsecured buckets, containing nearly 48 million items.
In most cases, it’s nearly impossible to discern from the outside who owns the open cloud buckets because they have generic names like “cars_images” or “hotels-images.”
Security experts say that leaving such a gaping hole in a company’s digital infrastructure can be very problematic, amounting to a virtual bonanza for tech-savvy identity thieves.
“That is a rookie mistake and that is squarely on the company that is managing the data,” Kenneth White, co-director of the Open Crypto Audit Project, said. “That’s inexcusable. It’s the security equivalent of having a toilet in the cooking area at a restaurant. You don’t do that.”
Chris Vickery, director of cyber risk research at UpGuard, a cybersecurity company in Santa Rosa, California, which regularly hunts leaky cloud buckets, noted that a reliance on cloud storage can come with trade-offs.
“Incompetent employees can mess up anything and relying on cloud solutions without properly training your staff is not necessarily an improvement as far as security is concerned,” he said.
Experts say that fixing these glaring holes should be relatively easy — it’s a simple matter of restricting access, also known as “changing permissions,” both to the folders and the individual files within them.
The potential risks for companies and their customers are profound. In recent years, cybercriminals have increasingly targeted cloud servers to harvest personal information and corporate secrets. In some cases, they have seized control of company data repositories and demanded a ransom from the company in return for unlocking the files.
In 2017, a misconfigured cloud bucket resulted in six million Verizon users’ private data being leaked. Verizon fixed the issue and said “no loss or theft of customer information” occurred. That same year, researchers found nearly 200 million voters’ personal data — name, address, birth date, and more — that had been exposed in a cloud leak. The conservative analytics firm that mistakenly leaked the data updated the access settings to the cloud bucket to prevent further access.
No easy solutions
For consumers, it’s practically impossible to avoid companies that use cloud storage, experts say, and it’s impractical for most people to try to discern if companies are properly safeguarding their data.
“Unfortunately a layperson isn’t going to know if a company is doing well on the security front, and any company can lose data even if they have a good security program,” said Jackie Singh, the CEO of Spyglass Security.
“Don’t save anything in the cloud that you don’t want to see on the front page of the New York Times.”
When possible, she added, people should reduce the number of companies that have their data and be mindful of what data they do upload, given that “breaches are inevitable.”
Meanwhile, Arcuri, the former PetBacker user, remains disturbed that her driver’s license may still be floating around online.
“If they could take my whole thing off of their database, that would be awesome,” she said. “My address is on there. That’s a little scary.”
