What’s Happening?

PeopleGIS is a Massachusetts-based company specializing in information management software. Many city municipalities in the state of Massachusetts and a few in surrounding states like Connecticut and New Hampshire use their software and platforms to manage a variety of data. This means there are 3 options:

PeopleGIS created and handed over the buckets to their customers (all municipalities), and some of them made sure these were properly configured; The buckets were created and configured by different employees at PeopleGIS, and there were no clear guidelines regarding the configuration of these buckets; The Municipalities created the buckets themselves, with PeopleGIS guidelines about the naming format but without any guidelines regarding the configuration, which would explain the difference between the municipalities whose employees knew about it or not.

What Data Was Left Vulnerable?

The type of documents exposed includes business licenses, residential records such as deeds, tax information, and resumes for applicants to government jobs. Information exposed in the breach include (but isn’t limited to):

Email address Physical address Phone number Drivers license number Real estate tax information Photographs of individuals (on drivers licenses) Photographs of properties Building and city plans

Some of the vulnerable documents were redacted, but they were digitally redacted using transparent tools like a marker. This means whoever found them could change the contrast level of the document in a photo editor and see the redacted information. This means even documents that were redacted were potentially vulnerable in this breach.

The breach could lead to massive fraud and theft from citizens of those municipalities. The highly-sensitive nature of the data contained within a local government’s database, from phone numbers to business licenses to tax records, are highly susceptible to exploitation by bad actors. Much of this information is supposed to be only accessible by the government and the citizens, meaning someone could potentially defraud an individual by posing as a government official.

What Are the Risks and How to Protect Yourself

Identity Theft: The high amount of PIIs (personally identifiable information) and private details exposed in the breach could allow a bad actor to easily pose as someone else and steal their identity. This breach makes identity theft an especially dangerous risk because bad actors are more likely to succeed the more information they have. Phishing, Frauds & Scams: The large number of financial and confidential records left vulnerable could allow hackers to pose as government officials for the purposes of phishing, defrauding, or scamming citizens. Theft: Exposed residential information such as house plans, deeds, and owner information could give attackers insight on their targets. They could also use the information in this breach to find more vulnerable prey, such as senior citizens. File Manipulation: This risk is dependent on how the municipalities use the data in the misconfigured buckets. If the files were simply used for backup storage, there’s little to no risk of property value manipulation. However, if the municipalities actively used the data in these buckets, it could be possible to overwrite the files to manipulate the value of a property, an individual’s tax information, and other methods. Ransom: Attackers could download files from the bucket storage then wipe it and ransom the data back to the cities. Unfortunately, the above list is not comprehensive, and cybercriminals are always generating new methods to exploit anyone vulnerable on the Internet. Though most email clients have methods to block spam and phishing attempts, they are not 100% effective. When receiving an unexpected email from a seemingly trustworthy source, do not open any attachments. Phishing emails often use scare tactics to force users to open the attachment. If you are ever unsure about an email or phone call from an individual claiming to be a government employee, give their department a call. If they did not give a department when contacting you, they are likely not affiliated with the government. This will usually let you verify whether the attachment is legitimate or not. In the event of a data breach, governments should inform potentially-vulnerable citizens as soon as possible.

Why Should I Trust WizCase?

WizCase is a widely popular web security platform offering advice and tips for thousands of readers every week. Translated into over 30 languages, our website has gained the trust of a wide number of people worldwide. Our team regularly discovers new data breaches across the internet and contacts the companies responsible for them prior to publishing any reports. We have found leaks and breaches affecting many different companies from news websites, to popular dating apps, and to the medical industry. Together, we’re working hard towards creating a safer online environment for everyone.