Advertisement
Australia markets closed

  • ALL ORDS

    8,022.70
    +28.50 (+0.36%)
     

  • ASX 200

    7,749.00
    +27.40 (+0.35%)
     

  • AUD/USD

    0.6608
    -0.0013 (-0.20%)
     

  • OIL

    78.40
    -0.86 (-1.09%)
     

  • GOLD

    2,370.20
    +29.90 (+1.28%)
     

  • Bitcoin AUD

    91,801.47
    -2,545.30 (-2.70%)
     

  • CMC Crypto 200

    1,255.91
    -102.10 (-7.52%)
     

  • AUD/EUR

    0.6132
    -0.0006 (-0.11%)
     

  • AUD/NZD

    1.0971
    +0.0003 (+0.03%)
     

  • NZX 50

    11,755.17
    +8.59 (+0.07%)
     

  • NASDAQ

    18,160.36
    +46.90 (+0.26%)
     

  • FTSE

    8,433.76
    +52.41 (+0.63%)
     

  • Dow Jones

    39,525.06
    +137.30 (+0.35%)
     

  • DAX

    18,772.85
    +86.25 (+0.46%)
     

  • Hang Seng

    18,963.68
    +425.87 (+2.30%)
     

  • NIKKEI 225

    38,229.11
    +155.13 (+0.41%)
     

Over 750,000 applications for US birth certificate copies exposed online

Zack Whittaker
Updated

An online company that allows users to obtain a copy of their birth and death certificates from U.S. state governments has exposed a massive cache of applications — including their personal information.

More than 752,000 applications for copies of birth certificates were found on an Amazon Web Services (AWS) storage bucket. (The bucket also had 90,400 death certificate applications, but these could not be accessed or downloaded.)

The bucket, owned by a Barcelona-based company Onlinevitalus, wasn't protected with a password, allowing anyone who knew the easy-to-guess web address access to the data.

Each application process differed by state, but performed the same task: allowing customers to apply to their state's record-keeping authority — usually a state's department of health — to obtain a copy of their historical records. The applications we reviewed contained the applicant's name, date-of-birth, current home address, email address, phone number and historical personal information, including past addresses, names of family members and the reason for the application — such as applying for a passport or researching family history.

The applications for copies of birth certificates from many U.S. states — including California, New York and Texas — were left online (Image: TechCrunch)

ADVERTISEMENT

The applications dated back to late-2017 and the bucket was updating daily. In one week, the company added about 9,000 applications to the bucket.

U.K.-based penetration testing company Fidus Information Security found the exposed data. TechCrunch verified the data by matching names and addresses against public records.

Fidus and TechCrunch sent several emails prior to publication to warn of the exposed data, but we received only automated emails and no action was taken. When reached, Amazon would not intervene but said it would inform the customer. Onlinevitalus eventually took down the bucket, but did not comment.

We also informed Spain's data protection authority to warn of the security lapse, but the authority did not comment.

Updated to include the company's name, after the data was secured.

Read more: