Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

RigUp Database Exposed 76,000 Files From U.S. Energy Sector

An exposed Amazon Web Services (AWS) S3 bucket belonging to RigUp was found to expose tens of thousands of private files belonging to organizations and individuals in the U.S. energy sector, vpnMentor reports.

An exposed Amazon Web Services (AWS) S3 bucket belonging to RigUp was found to expose tens of thousands of private files belonging to organizations and individuals in the U.S. energy sector, vpnMentor reports.

Founded in 2014, United States-based RigUp is a labor marketplace and services provider for the country’s energy sector. The software company connects independent contractors with companies across the U.S.

The discovered database contained over 76,000 private files pertaining to both companies and individuals using the platform, vpnMentor says.

On March 10, the security firm discovered the exposed S3 bucket, which was labeled “ru”, and which contained many files featuring RigUp’s name, thus allowing for a quick identification of the owner.

The live database was over 100GB in size, containing data stored there between July 2018 and March 2020. In this database, RigUp was storing a broad range of files belonging to clients, contractors, job seekers, and candidates for employment.

Human resources-related files found in the database included employee and candidate resumes, personal photos (even private family photos), paperwork and IDs related to insurance policies and plans, professional IDs, profile photos (including US military personnel), and scans of professional certificates in different fields.

A considerable amount of personally identifiable information (PII) was included in these files, such as full contact details (names, addresses, phone numbers, home addresses), Social Security information, dates of birth, insurance policy and tax numbers, personal photos, and additional information related to education, professional experience, and personal lives.

Internal records related to business operations, projects, and corporate relationships of many energy firms were also found in the database, including project proposals and applications, project outlines, technical drawings for drilling equipment, and corporate insurance documents.

“Had malicious hackers discovered this database, it would have been an absolute goldmine for various fraud schemes and criminal attacks against everyone involved,” vpnMentor says.

The root cause of the issue, the security firm notes, was that RigUp did not properly secure the database, thus exposing information on thousands of individuals. However, the company was quick to address the issue after being alerted on the matter.

“These kinds of breaches are almost always tied back to human error, either not following documented instructions or failing to automate an important security step during deployment. The answer remains to continuously increase awareness of the risks associated with cyber security and the importance of being vigilant any time a human action is involved. Creating this culture of awareness is the first and most important step any organization can take in decreasing their cyber exposure,” Bill Santos, president of Cerberus Sentinel, said in an emailed comment.

Related: Millions of Digital Wallets Exposed by Key Ring

Related: Financial Services Firms Exposed 500,000 Sensitive Documents

Related: UK Printing Company Exposed Military Documents

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility