Domestic Abuse Victims Exposed in Cloud Misconfiguration
A developer at Aspire News, an application run by US non-profit When Georgia Smiled, misconfigured an AWS bucket that resulted in personal information of domestic abuse victims being exposed. Researchers at vpnMentor found voice recordings between emergency distress responders and domestic violence victims stored in a publicly accessible AWS S3 bucket. Researchers uncovered 230MB of data containing roughly 4,000 voice recordings.
Once contacted, the non-profit resolved the issue on the same day. However, the information exposed in the voice recordings was highly sensitive, particularly for the nature of the calls, and included the victims’ full names, home addresses, details of circumstances, abusers’ names, and personal and graphic details. Domestic violence cases have also allegedly surged since the beginning of lockdown measures as abusers and victims are confined at home for long periods of time.