We recently discovered an unsecured Microsoft Azure Blob that contains deeply sensitive documents of more than 12,000 construction workers, including scans of passports, national IDs, birth certificates, and tax returns. The cloud storage also contains self-employment contracts that include personally identifiable information such as full names, addresses, UK national insurance numbers, and signatures.
The database appears to belong to Nohow International, a UK-based recruitment and staffing agency that provides blue- and white-collar personnel services to companies across the UK and other countries.
On December 8, we reached out to Nohow regarding the leak but received no response from the company. We then reported the leak to Microsoft CERT on December 15 and the blob was secured sometime in early January.
What data was exposed?
At the time of discovery, the unsecured Microsoft Azure Blob contained 12,464 images, PDF documents, and email messages presumably sent by the exposed workers to Nohow International.
The files include photos of national ID cards:
National insurance cards:
The Azure Blob also contained MSG files of email messages sent by construction workers to Nohow’s email address used specifically for receiving documents. The email messages include the workers’ personal and payment information, such as taxpayer reference and national insurance numbers, as well as banking details:
Who is the company behind the leak?
Nohow International is an employment agency that supplies management staff and contract labor to companies in the construction, shopfitting, and mechanical and electrical industries and has 40,000 registered operatives.
According to the Nohow website, the company operates a national database of UK residents “in order to satisfy the fast-track need of [Nohow’s] customers and ensure business continuation.” It appears that the publicly available Azure Blob is used to store documents for the Nohow worker database, as the company requires each prospective operative to pass “prequalification checks,” which entails providing Nohow with a “valid ID, CSCS [Construction Skills Certification Scheme] or trade-related card and 2 recent working references.”
Who had access to the data?
Presently, it is unclear if any malicious actors have accessed the unsecured Nohow Azure Blob and downloaded the deeply sensitive documents. With that said, the confirmed data from the Blob goes back at least several months.
The files were stored on a publicly accessible Microsoft Azure server. Accessing and downloading files hosted on public servers requires almost no technical knowledge, which means that there’s a good chance that the documents contained in this Blob may have been accessed by cybercriminals for malicious purposes.
What’s the impact of the leak?
All of the document images and email messages found in the unsecured Azure Blob are highly sensitive. In the wrong hands, they would be more than enough to cause massive damages to the exposed individuals.
On the dark web, a passport or ID card scan can fetch about $15, putting the total black-market value of the 12,000+ documents found in the bucket at about $180,000.
Acquiring someone’s passport scan is one of the main steps in committing identity theft. By adding more personal details like email, phone number, address, national insurance number, and bank account details – some of which are present in the email message files stored on this Azure Blob – cybercriminals can, in the worst-case scenario, take out loans, credit cards, or other paid services in the exposed construction workers' names.
What happened to the data?
We identified Nohow as the owner of the database and notified the company about the leak on December 8, 2020. However, we received no response. On December 15, we reported the leak to Microsoft CERT and the blob is no longer publicly accessible.
Afraid your online presence was compromised? Check if your data has been leaked.
If you have provided Nohow International with document scans or signed any contracts with the company, you should set up identity theft monitoring via your bank.
In case of any suspicious activity or fraud, do the following as soon as possible:
- Report identity theft to law enforcement
- Notify your creditors, bank, and other financial services of possible identity theft
- Review recent activities on your online accounts and watch out for suspicious emails, messages, and requests
- Replace your national ID and passport