The NSS was using Amazon Web Services to store over 3 million files from its programs.
Data Breach Summary
What is Ghanas National Service Secretariate?
But rare are these times.
We often need days of investigation before we understand whats at stake or whos exposing the data.
Understanding a breach and its potential impact takes careful attention and time.
We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research or playing down its impact.
So, we need to be thorough andmake sure everything we find is correct and accurate.
S3 buckets are an increasingly popular enterprise cloud storage solution.
However, users must set up their security protocols manually to protect any data stored therein.
Finally, many of the documents contained the NSS logo and text directly related to the scheme.
However, we never received a reply from the NSS.
We also reached out to Ghanas Computer Emergency Response Team (CERT-GH) twice.
The second time, they replied the same day requesting more information about our discovery.
After disclosing the situation to them, CERT-GH replied:
“My team has verified and confirmed the vulnerability.
A report has been prepared and shared with the CERT coordinating Gov Agencies incidents.
We will be following up to ensure that the issue is resolved ASAP.
We followed up several times to the Ghana’s CERT, but never received a replied back.
We also reached out to the Ghana’s government, unfortunately without success.
We followed up several times to the Ghana’s CERT, but never heard back from them again.
We also reached out to the Ghana’s government, unfortunately without success.
The NSS took steps to protect peoples identities by password-protecting sensitive files within the S3 bucket.
Different file types were stored across individual folders to keep them apart.
But as well demonstrate, this wasnt enough to protect peoples data.
Each one was stored as an individual PDF file.
60+ of these PDF files were completely unprotected.
330,000+ were secured via passwords.
These QR codes were not encrypted or password-protected in any way.
Archived Documents - 1,700+
Various documents were archived data.
Most of these files were not recent and had no password protection or encryption.
Potentially more were stored in other folders.
There was no password protection or encryption on the files.
These included biometric passport photos, ID cards, and other documents uploaded by staff at the NSS.
Hopefully, this data will remain out of criminal hands.
In a phishing campaign, criminals send victims fake emails and text messages imitating real businesses and organizations.
Or simply spies on the government undetected.
Furthermore, much of the data exposed in this breach is permanent and can never be changed.
Cyberattacks on hospitals and medical institutions have been on the rise in recent years as a result.
Theyre usually the result of an error by the owner of the bucket.
Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.
To learn about data vulnerabilities in general, read ourcomplete guide to online privacy.
Our researchers use large-scale web scanners to search for unsecured data stores containing information that shouldnt be exposed.
They then examine each data store for any data being leaked.
Our team was able to access this S3 bucket because it was completely unsecured and unencrypted.
As ethical hackers, were obliged to inform a company when we discover flaws in their online security.
The purpose of this web mapping project is to helpmake the internet safer for all users.
We never sell, store, or expose any information we encounter during our security research.
Our ethical security research team has discovered and disclosed some of the most impactful data breaches in recent years.
This has includedexposing the growing popularity of cybercrime groups on Telegram.
We also revealed how apopular Chinese game developer was leaking data from over 1 million people.
You may also want to read ourVPN Leak Report and Data Privacy Stats Report.
Help Us Protect The Internet!
Check the Leak Box here »
yo, comment on how to improve this article.
