An unsecured server has exposed sensitive data belonging to airport employees across Colombia and Peru.
The server belonging to Securitas was left unsecured, resulting in the exposure of 3TB in airport employee records. The data pertained to airport employees across Peru and Colombia. The data was exposed after Securitas left an AWS S3 bucket improperly secured, leaving one million files open on the internet for anyone to access.
The unprotected data contained information dating back to 2018. Four airports were identified in the exposed files, including El Dorado International Airport, Alfonso Bonilla Aragón Interational Airport, and Aeropuerto Internacional Jorge Chávez.
The bucket did not require any authentication to access and contained two main datasets relates to Securitas and airport employees, including ID card photos, personally identifiable information, names, photos, occupations, and national ID numbers. Photographs of airline employees performing tasks such as fueling lines and luggage handling were also in the unsecured bucket.
Security researchers were able to identify unstripped .EXIF data in the photographs, providing the date and time that they were taken as well as geographical location of the photograph in some cases.
Securitas engaged in conversation with the team and secured the server on the same day once it was notified about the issue.