By Mike Kirkpatrick

A massive data breach has exposed nearly 1 million records from a Germany-based lost and found software company, potentially compromising sensitive traveler information across multiple airports in the U.S., Canada, and Europe. A cybersecurity researcher discovered the unprotected database and reported the incident to Website Planet, prompting swift action to secure the data.

Unsecured Databases Discovered

The unprotected and unencrypted database containing 820,750 records related to Lost and Found Software, a company that helps airports track and return lost items. Upon further investigation, he was able to predict and locate 14 databases, 10 of which were publicly accessible, totaling 122GB of exposed data.

The compromised records included images and documents related to lost items such as medical devices, electronics, wallets, and luggage. More alarmingly, high-resolution images of passports, driver’s licenses, and employment documents were found in the database, raising concerns about identity theft and fraud.

Potential Risks and Security Concerns

The exposure of personally identifiable information (PII) such as names, addresses, phone numbers, and payment details presents a significant risk. Criminals could exploit this data for identity fraud, create counterfeit documents, or even launch targeted scams against travelers who have lost valuable items.

Using predictable database naming conventions increased cybersecurity risks. Cybercriminals could potentially locate additional unsecured databases using the same method he employed. The incident underscores the importance of unique and secure database naming structures to prevent unauthorized access.

Company’s Response and Security Measures

Upon receiving the responsible disclosure notice, Lost and Found Software acted quickly, restricting public access to all 14 identified databases within hours. The company attributed the breach to incorrect Amazon S3 bucket policy rules, which had been overridden by access control list (ACL) settings. The security team assured that their entire internal database was not exposed—only specific misconfigured S3 buckets were affected.

A day after the disclosure, the company acknowledged the issue, stating: “Thank you for bringing your security research to our attention. We have already taken initial steps to restrict public access to the information and are working on removing access to the specific files that were available until now.” However, it remains unclear how long the database was publicly accessible or whether any unauthorized parties accessed the information before the discovery.

Lessons and Recommendations for Data Protection

This breach highlights the need for companies handling sensitive data to implement strict security measures, including:

• Enhanced authentication protocols to prevent unauthorized access.
• Data expiration policies to limit the retention of sensitive information.
• Regular security audits and penetration testing to identify vulnerabilities.
• Proper encryption for highly sensitive records like identification documents.

This incident serves as a critical reminder of the risks associated with improper data protection. While Lost and Found Software responded promptly, the breach exposed vulnerabilities that could have severe consequences for affected travelers. Organizations handling sensitive customer data must adopt proactive cybersecurity practices to safeguard against potential threats and unauthorized access.