A Melbourne company recruiting horticultural workers, Orchard Tech, left an Amazon Web Services Simple Storage Service (S3) instance containing thousands of sensitive personal documents open for anyone to access for over a month.
Melbourne-based security researcher Sami Toivonen found the open S3 storage instance on October 24 and told iTnews it contained images of passports, driver’s licences, tax forms, and employment contracts.
While Toivonen doesn’t know how long the S3 instance has been exposed, he noted that it was indexed by one or more search engines on September 14 this year.
One search engine found 12,709 files in the Orchard Tech bucket.
Of these, the open S3 bucket contained 532 passport and 422 driver’s licence images, Toivonen said.
Agricultural chemical user permits, hundreds of MADEC cards [an employment services provider] and tax forms, and thousands of employment contracts were also discovered on the storage instance.
The passport and driver’s licence images span 20 nationalities and five Australian states, Toivonen said.
Most of them were from Malaysian nationals, followed by Australians, Tongans, and New Zealanders.
Europeans’ documents were also found the in the S3 bucket, Toivonen said.
iTnews was able to confirm that the Orchard Tech data could be found in the index of the search engine, which we have chosen not to name.
Orchard Tech chief executive Hari Yellani was contacted by Toivonen on October 27 and arranged for the S3 instance to be secured on that day.
Yellani told iTnews that his company uses the Dropbox storage service, but is currently moving some data to AWS.
The breach will be reported to the authorities and the workers affected by Orchard Tech.
“Our security is looking into it now, seeing what system has been breached and we are going to report it soon,” Yellina said.
He thanked Toivonen and iTnews for bringing the open S3 bucket to his attention but did not explain why Orchard Tech stored so much sensitive information on its workers.