A major Brazilian driving school appears to have exposed the sensitive information of up to 400,000 individuals after failing to properly secure a cloud database.
Researchers from Cybernews claim to have found an unprotected Google Cloud Storage bucket containing information about Brazilian Learner’s Driving permits – Licença De Aprendizagem De Direção Veicular.
The learner permit is a document that the Brazilian government issues to people currently attending driving lessons, allowing them to drive a vehicle during lessons. Cybernews says the archive is most likely owned by a driving school from Sao Paulo, called Centro de Formação de Condutores Free Alda.
Still available
Most of the exposed data carries a Detran insignia – which stands for State Department of Traffic (Departamento Estadual de Trânsito).
The researchers believe that up to 400,000 individuals have had sensitive data exposed this way, including full names, photographs, postal addresses, government ID numbers, taxpayers’ numbers, details about the driving permit, including issue date and validity period, signatures, IP addresses, and user phone models. This is more than enough to run all sorts of cybercrime, from identity theft to wire fraud.
The pros think the archive was either misconfigured, or not properly secured. It is impossible to determine for how long it remained open, or if anyone accessed it before they found it. The Cybernews team says they made the discovery on June 2, and that the school was subsequently contacted by Brazil’s CERT. However, as late as September 19, the archive was still open to anyone who knew where to look.
“The exposed data could be exploited by malicious actors for identity theft, fraud, or other illegal activities. Moreover, a breach of this type can undermine public trust in governmental agencies responsible for managing and protecting sensitive personal information,” Cybernews researchers said.
Mystery database containing sensitive info on 762,000 car-owners discovered by researchersHere’s a list of the best firewalls todayThese are the best endpoint protection tools right now