On Wednesday, vpnMentor published a report on the security incident, in which an unsecured bucket was left exposed online. The server, which did not have authentication controls in place and was, therefore, accessible by anyone to view, contained 157GB of data, or just under an estimated 200,000 files. After discovering the open system, the researchers traced the owner as Phlebotomy Training Specialists. The LA-based organization offers phlebotomy certification and courses in states including Arizona, Michigan, Texas, Utah, and California. According to vpnMentor, the records contained within were backed up from September 2020, but some were created before this time. In addition, over 27,000 tracking forms were found that in some cases contained the last four digits of Social Security numbers, as well as student transcripts and training certificate scans. vpnMentor’s team, led by Noam Rotem and Ran Locar, estimates that between 27,000 – 50,000 people, including course applicants and attendees, were impacted. The researchers told ZDNet that two buckets were eventually found, one of which has been closed – but the other remains open. ZDNet has reached out to Phlebotomy Training Specialists for comment and we will update when we hear back.
Previous and related coverage
The biggest hacks, data breaches of 2020Billions of records have been hacked already. Make cybersecurity a priority or risk disaster, warns analystA company spotted a security breach. Then investigators found this new mysterious malware
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0