Vice writes that Front Rush, a company that provides recruiting services for college athletes, left a server exposed to the Internet--another case of a misconfigured Amazon S3 bucket. On that server were exposed some 700,000 files. They included athletes' medical records, performance reports, driver's licenses and other personal information, to the open internet, including college athletes' medical records, performance reports, driver licenses, SAT scores, addresses, dates of birth, reviews from specific teams, and athletic financial aid agreements. It's not clear if anyone accessed the data other than the researchers who discovered the exposed bucket, which Front Rush says has now been secured.
BleepingComputer reports that the medical information of some 50,000 individuals was exposed at Minnesota's Allomere Health. The incident was discovered on November 6th, 2019, when Allomere noticed that an employee's email account had been improperly accessed by an unknown third party. A few days later the hospital discovered that a second employee email account had been compromised. It's not known whether the unknown third parties viewed or obtained any patient data, but it's possible they could have accessed names, addresses, dates of birth, medical record numbers, health insurance information, treatment information, or diagnoses. A subset of patients' might have also had Social Security and driver's license numbers exposed.
Local speculation in Las Vegas turned quickly to Iran when the city’s IT department tweeted that “We experienced a cyber compromise at 4:30 a.m. Tuesday. Our IT team is assessing the extent of the compromise. When aware of the attempt, we immediately took steps to protect our data systems. We will have a clearer picture of the extent of the compromise over the next 24 hours.” The city doesn’t think any sensitive or personal data were compromised, but investigation continues.
Ring, the doorbell and home security company owned by Amazon, has sent a letter to Senators investigating privacy issues in which it acknowledged that four employees had been dismissed for improperly accessing customer systems' video. The employees had access to video for legitimate reasons, but they abused that access in unspecified ways. The letter is a useful presentation of how Ring understands security and privacy, and seeks to implement them. Vice offers a critique, as does the Washington Post.