The American energy sector, much like the rest of the country, is having a hard time. In a detailed security report from vpnMentor, researchers found an exposed database containing more than 70,000 private files that belonged to firms and individuals within RigUp's client profile. RigUp is a Texas-based start-up that provides gig workers for the oil and gas sector. Before this week's revelations came to light it had already endured laying off more than 100 employees due to the COVID-19 outbreak.
Fortunately, RigUp responded to vpnMentor's report promptly. If any bad actors gained access to the sensitive files, the company's clients could have found themselves on the receiving end of criminal attacks, including tax and insurance fraud, identity theft, and a lot more. So far, no reports of that sort have surfaced. But a security breach of this scale is always worrying and can do huge damage to any business, but especially one that's only just beginning to get off the ground.
How the data was compromised — The vulnerability arose from an exposed Amazon Web Services S3 bucket called "ru," according to vpnMentor. It looks like RigUp used "ru" as a file dump for a variety of information, including job applications and data about prospective employees, contracted clients' information, and other sensitive material. According to vpnMentor, a sizable portion of the database contained resumes, personal photographs of employees and their families, insurance claims, professional ID tags, information about which employees had military backgrounds, and much more.
Much of the data was personally identifiable — Personally Identifiable Information (PII) data made up a sizeable chunk of the exposed data, including Social Security numbers, dates of birth, tax information, professional certificates revealing education information, and U.S. government certificates. Information about companies affiliated with RigUp was also exposed, including project outlines and proposals, drafts for construction timelines, and various companies' insurance data.
How RigUp responded — In previous cases where it's found data compromised, vpnMentor hasn't minced its words, taking companies to task for their delayed responses to security reports (consider the data breach PussyCash suffered.) In RigUp's case, the research team noted that the response took some time but ultimately the company exhibited a renewed dedication to information privacy and took responsibility for its mistake.
"We must commend RigUp for responding positively to our disclosure, especially at a time when it must be experiencing considerable disruption, due to the coronavirus pandemic," vpnMentor's report notes. "The company took full responsibility for the leak – a rare occurrence – and guaranteed a root cause analysis would be conducted."
In the meantime, vpnMentor recommends RigUp — and practically any company that stores sensitive data, for that matter — secures its servers, enacts strict access controls, and always require authentication for database access.