How online 'cloud buckets' are exposing private photos and other sensitive data

NBC News located a trove of personal information in online file storage systems left unprotected by the companies that use them.
Illustration of thief breaking into a room full of ID cards.
Claire Merchlinsky / for NBC News

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
By Cyrus Farivar

OAKLAND, Calif. — Jessica Arcuri, a restaurant hostess from California, was looking for some extra cash a couple of years ago when she came across a pet-sitting app called PetBacker.

The app invites pet lovers to step forward as paid short-term caretakers of dogs and cats. Based in Malaysia, it serves thousands of customers across 40 countries.

As part of the signup process, Arcuri submitted a government-issued identification document: a copy of her state driver's license, which included her full name, home address and birthday. Security experts resoundingly agree that companies should treat personal information with the utmost of care and request IDs only for specific purposes, such as background checks. But NBC News found Arcuri's driver's license online with no security safeguards whatsoever. When contacted by a reporter, she was alarmed.

"I didn't even remember that that app had my ID — that's just crazy," said Arcuri, 23, of Lakewood. "The fact that you were able to find it is concerning."

Arcuri is one of the millions of people who have had their personal identifiable information exposed through online file storage systems called "cloud buckets." The digital equivalents of safety deposit boxes, they house data placed in networks of remote servers — what's known as the cloud.

Placing reams of data in the cloud offers companies the ability to offload their security to big firms like Google, Apple, Amazon or Microsoft. But the buckets themselves are configured not by the Googles and Apples of the world but by the companies who use their cloud networks.

As Arcuri learned the hard way, some companies are placing this sensitive information in improperly secured buckets, a potential bonanza for tech-savvy identity thieves. Cases like these, experts say, show that companies don't need to be hacked to put customer data at risk.

"Users don't know what companies are doing with their data," said Jason Schorr, chief operating officer of Spyglass Security, which has developed one of several tools on the market to document and identify exposed data in the cloud. "They have no idea."

NBC News scoured online cloud buckets with the help of Schorr and found a trove of sensitive data: images of ID cards, near-nude photos, résumés with contact information.

One used by HelloTech, a company that provides in-home information technology services nationwide, included thousands of unprotected identity documents belonging to its technicians. The bucket was also filled with images of IT setups inside customers' homes.

Among the easy-to-access passports and driver's licenses was one belonging to Harlan Laskey, an Ohio man who briefly worked years ago for Geekatoo, a company thatmerged with HelloTech in 2016.

"It's definitely disconcerting. It's not a good feeling at all," Laskey said.

"The possibilities are endless for someone who gets a hold of that who has nefarious purposes," Laskey added. "If you found it on the open web, that speaks for itself."

HelloTech Chief Executive Greg Steiner said in an interview that the data "should never have been exposed publicly," adding that his company would work to lock it down.

"We have no reason to believe that any information was exploited," he said in a follow-up email. "We are reviewing and strengthening our security controls."

The bucket used by PetBacker included drivers' licenses and other sensitive documents from users based in a host of countries, including the United States, the Czech Republic, the Philippines, the United Kingdom, Malaysia and Australia.

Byers Market Newsletter

Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.

In an interview, PetBacker co-founder Edward Khoo said the company was unaware that the identity documents were made publicly available. He expressed gratitude for being alerted to the security flaw.

"We take this very seriously," he said.

In an interview three weeks later, Khoo said the problem stemmed from users who submitted identity documents via the app's support chat function. "The main problem here was the process of having the chats not being secured," he said. "It seems we could improve on that."

In one bucket used by a real estate answering services company, NBC News found millions of voicemails, mostly apartment inquiries and maintenance requests, that included the callers' names and cellphone numbers. Among the messages was one from a police officer trying to get into a building in New Castle County, Delaware, to serve a warrant and another from a South Carolina woman complaining about what she said was a mistaken eviction notice.

The company that uses the bucket, Activ, did not respond to repeated attempts for comment over several weeks. But on Dec. 12, a spokesman said in an email that Activ "investigated immediately and resolved the situation within 45 minutes."

"Thank you for bringing this to our attention," added the spokesman, Jason Mudd.

An unprotected cloud bucket used by an app called Cluster, which advertises itself as "private group sharing with friends and family," contained 6.4 million photos, including images of children at school, a woman in a bikini and a passport belonging to a British baby, as well as professional pornography.

Cluster's data was available until late on Nov. 26, after NBC News got in contact with Brenden Mulligan, the company's former chief executive, who is now an adviser. Cluster did not respond to a request for comment but has changed the settings on its cloud storage.

In all, NBC News gained access to 20 unsecured buckets, containing nearly 48 million items.

In most cases, it's nearly impossible to discern from the outside who owns the open cloud buckets because they have generic names like "cars_images" or "hotels-images."

Security experts say leaving such gaping holes in a company's digital infrastructure can be very problematic.

"That is a rookie mistake, and that is squarely on the company that is managing the data," said Kenneth White, co-director of the nonprofit Open Crypto Audit Project.

It appears that user content data was being stored in the same cloud folder as the actual website code, which is highly unusual.

"That's inexcusable," he continued. "It's the security equivalent of having a toilet in the cooking area at a restaurant. You don't do that."

Chris Vickery, director of cyber risk research at UpGuard, a cybersecurity company in Santa Rosa, California, which regularly hunts leaky cloud buckets, noted that a reliance on cloud storage can come with trade-offs.

"Incompetent employees can mess up anything, and relying on cloud solutions without properly training your staff is not necessarily an improvement as far as security is concerned," he said.

Experts say fixing such glaring holes should be relatively easy — it's a simple matter of restricting access, also known as "changing permissions," both to the folders and to the files within them.

The potential risks for companies and their customers are profound. In recent years, cybercriminals have increasingly targeted cloud servers to harvest personal information and corporate secrets. In some cases, they have seized control of company data repositories and demanded ransom from companies to unlock files.

In 2017, a misconfigured cloud bucket resulted in the leak of 6 million Verizon users' private data. Verizon fixed the issue and said "no loss or theft of customer information" occurred. The same year, researchers found nearly 200 million voters' personal data — names, addresses, birth dates and more — that had been exposed in a cloud leak. The conservative analytics firm that mistakenly leaked the data updated the access settings to the cloud bucket to prevent further access.

No easy solutions

For consumers, it's practically impossible to avoid companies that use cloud storage, experts say, and it's impractical for most people to try to figure out whether companies are properly safeguarding their data.

"Unfortunately, a layperson isn't going to know if a company is doing well on the security front, and any company can lose data even if they have a good security program," said Jackie Singh, chief executive of Spyglass Security.

"Don't save anything in the cloud that you don't want to see on the front page of The New York Times," Singh said.

When possible, she added, people should reduce the number of companies that have their data and be mindful of what data they do upload, given that "breaches are inevitable."

Meanwhile, Arcuri, the former PetBacker user, remains disturbed that her driver's license may still be floating around online.

"If they could take my whole thing off of their database, that would be awesome," she said. "My address is on there. That's a little scary."