Nearly 1M records related to personal property were exposed

Research from Jeremiah Fowler has revealed non-password-protected databases associated with Lost and Found Software, a Germany-based organization providing property tracking and return services for airports in the United States, Canada, and Europe. 

14 databases were identified, with 10 of them being publicly accessible. Combined, the databases contain 820,750 records (122 GB). It is not known how long these databases were exposed before Fowler’s discovery.  

Information featured in the exposed documents includes: 

• Records and images of shipping labels
• Screenshots and reports
• Lost items (including medical device, personal electronics, antiques — anything a passenger may take on their flight)

There was also a notable number of high-resolution images featuring identification documents, such as driver’s licenses, passports, employment documents, and more. Additionally, there were chat files with screenshots containing payment confirmations, receipts of lost products, shipping labels, and other documentation with personally identifiable information (PII). Many of these records were kept inside of folders with the label “user image and item image.”

The potential risks of such an exposure include: 

• Identify theft 
• Targeted phishing attacks 
• Impersonation 
• Fraudulent activities driven by insider information 

According to the research, it is currently not known if the databases were managed by Lost and Found Software or a third party. Once the organization was informed of the exposure, the publicly accessible databases were restricted within hours.

https://www.securitymagazine.com/articles/101432-nearly-1m-records-related-to-personal-property-were-exposed