We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Report: Cybersecurity Firm’s Data Exposed, Among Others

Hendrik Human Cybersecurity Researcher

The vpnMentor cybersecurity research team, led by Noam Rotem and Ran Locar, have uncovered an unsecured AWS S3 bucket with over 5.5 million files and more than 343GB in size that remains unclaimed.

Timeline of Discovery and Owner Reaction

Sometimes the extent of a data breach and the owner of the data are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s exposing the data.

Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.

Some affected parties deny the facts, disregarding our research or playing down its impact. So, we need to be thorough and make sure everything we find is correct and true.

In this case, after a few days of research, we identified the possibility that the data belongs to InMotionNow, and subsequently contacted the company with our findings. Although the unsecured S3 bucket is now closed, no one from the company ever responded to our attempts to reach out, so we are unable to confirm the ownership.

  • Date discovered: December 20, 2019
  • Date InMotionNow (assumed owner of the data) notified: December 26, 2019
  • Date Amazon notified: December 29, 2019, January 7, 2020, and January 30, 2020
  • Date bucket was closed: February 17, 2020
  • Date other companies notified: March 16, 2020

Company Profiles

In this particular case, our research team was not able to verify without a shadow of a doubt who, exactly, owns the exposed data. For this reason, we have decided that it’s crucial to let the general public know whose data and which data was made vulnerable by the lack of standard cybersecurity procedures. 

Our research led us to assume that InMotionNow owns the data. We reached out to them and no one replied, and there was no clear indication in the exposed bucket that it was theirs. With this in mind, we are including all companies whose data was found in the bucket. If it does in fact belong to InMotionNow, they’ll know who’s exposing the data, and if it doesn’t, the companies will be able to investigate further themselves. Our team has reached out to these companies on March 16, 2020, as well.

InMotionNow is a project management software company started in 1999 and headquartered near Raleigh, North Carolina. They boast FDA-compliant security standards, aimed at the verticals of their target customers.

Included here is a non-exhaustive list of the companies whose marketing material was found in the unsecured S3 bucket:

Cybersecurity firm ISC2.org had multiple data included in this breach as well.

Insurance company Brotherhood Mutual, which serves primarily religious institutions across the United States.

Universities, such as Kent State in Ohio and Purdue in Indiana, also had a plethora of files and information contained within the S3 bucket.

Potawatomi Hotel & Casino in Milwaukee, Wisconsin.

Consumer electronics company, Zagg (ZAGG), which designs and produces mobile accessories.

Non-profit organization, the Freedom Forum Institute, which fosters U.S. First Amendment freedoms for all.

Organizations affected by a variety of health industry regulations were found. They include, but may not be limited to:

Myriad Genetics (MYGN) - Genetic and disease testing company.

Performance Health - Physical Therapy equipment and supplies provider.

Examples of Data Entries

Here’s the list of data that our research team found and was able to identify:

Data Impacted

  • Analytics reports
  • Internal presentations, including:
    • Company strategy
    • Annual revenue amounts
    • Current customer count
  • Training materials
  • Internal client requests, including:
    • Requester name
    • Project name and details
  • Marketing strategies and collateral
  • Product labels
  • Business intelligence
  • Mailing lists with relevant PII

University donor lists, including:

  • Full names
  • Personal and work emails
  • Direct phone numbers
  • Credentials (degree, school, year)
  • Amount donated
University Donor List

Countries Affected

These are the countries where we found customers included in the data breach, but we did not open each file and it is possible that there are more clients in additional countries that were impacted.

  • France
  • United States of America

Data Breach Impact

Confidential Information

The items contained this data breach often hold private and/or confidential information within. The promise of secure facilities and systems are key selling points for clients such as the military and its supply chain - and the breach of that guarantee is not only a failure in service, but also potentially holds a security risk along with it.

Identity Theft

Knowing the full name, birthdate, and, yes, even the incarceration record of an individual can provide criminals with enough information to steal that person’s identity.

Identity theft does not always mean that the thief will claim that they are a particular individual in real life; it also allows them to engage in credit fraud, drain your bank account, and engage in scams against family, friends, and other associates of the identity theft victim.

Copyright Violations

Anyone with access to the countless copyrighted documents contained within this S3 bucket could easily download them without having to pay for their contents and also illegally upload them to a torrent network, available for free to all.

Fraud

The fusion of corporate branding resources and directory of contacts simplifies the task for those harboring harmful intentions to perpetrate fraudulent acts. There's potential for the creation of counterfeit university degrees, and exploiting proprietary information to deceptively establish unwarranted credibility.

Corporate Espionage

Full unencrypted logins for administrators seem to have been made available in this breach. The loss of control over this access could lead to cybercriminals taking over accounts and obtaining otherwise confidential information about stores, employees, and customers.

Advice from the Experts

The company that owns this bucket could have easily avoided this data breach if it had taken some basic security measures to protect the S3 bucket. These include, but are not limited to:

  1. Secure your servers.
  2. Implement proper access rules.
  3. Never leave a system that doesn’t require authentication open to the internet.

Any company can replicate the same steps, no matter its size. For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.

Securing an Open S3 Bucket

It’s important to note that open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.

In the case of this unsecured S3 bucket, the quickest way to fix this error would be to:

  • Make the bucket private and add authentication protocols.
  • Follow AWS access and authentication best practices.
  • Add more layers of protection to the S3 bucket to further restrict who can access it from every point of entry.

For those affected by the data breach

If you think you may have your personal or corporate information on this unsecured S3 bucket - and are concerned about how this breach might impact you or other data vulnerabilities in general, read our complete guide to online privacy to help better protect yourself online in the future. It shows you the many ways cyber criminals target internet users, and the steps you can take to stay safe.

You can also use a VPN to hide some of the data collected by the owner of this bucket. A VPN will mask your IP address and country of residence, giving you an added layer of protection even if your data is exposed.

How and Why We Discovered the Breach

The vpnMentor research team discovered the misconfigured bucket as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test open holes in systems for weaknesses. They examine each hole for data being leaked.

When they find a data breach, they use expert techniques to verify the identity of the S3 bucket's owner. We then alert the company to the breach. If possible, we will also alert those affected by the breach.

We were able to access the S3 bucket because it was completely unsecured and unencrypted. Using a web browser, the team could access all files hosted on the bucket.

The purpose of this web mapping project is to help make the internet safer for all users. As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security.

However, these ethics also mean we also carry a responsibility to the public. This is especially true when the company's data breach contains such a huge amount of private and sensitive information.

About Us and Previous Reports

vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.

In the past, we’ve discovered a breach in LightInTheBox that compromised the data of its customers. We also recently revealed that a company owned by major hotel chain AccorHotels exposed over 1TB of guests’ data. You may also want to read our VPN Leak Report and Data Privacy Stats Report.

We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

About the Author

Hendrik is a writer at vpnMentor, specializing in VPN comparisons and user guides. With 5+ years of experience as a tech and cybersecurity writer, plus a background in corporate IT, he brings a variety of perspectives to test VPN services and analyze how they address the needs of different users.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address