We recently uncovered an unsecured Amazon Simple Storage Service (S3) bucket that contains more than 36,000 documents, including scans of national IDs, credit cards, and health insurance cards. The database also contains sales representative enrollment contracts that include personally identifiable information such as full names, addresses, tax identification numbers, and signatures of mostly Italian citizens.
The database appears to belong to Ariix Italia, the recently launched Italian branch of Ariix, a US-based multi-level marketing company that advertises and sells health and wellness products.
On May 28, we tried to reach out to Ariix regarding the leak but received no response. We then reported the incident to Amazon and they were able to secure the S3 bucket. As of June 5, the Ariix Italia data bucket has been closed and is no longer accessible.
What data is in the bucket?
At the time of discovery, the data bucket contained 7,515 PDF and 25,895 JPG files.
The files include national ID cards:
Health insurance cards:
Sales representative enrollment contracts:
Most of the contracts in the S3 bucket appear to be Ariix sales representative enrollment contracts that contain the following personally identifiable information:
- Full names
- Dates of birth
- Tax identification numbers
- Street addresses
- Email addresses
- Phone numbers
Who owns the bucket?
The unsecured S3 bucket belongs to Ariix, a multi-level marketing company based in Utah, United States. Dubbed “The Opportunity Company,” Ariix offers a wide variety of health and wellness products ranging from skincare products such as Nucerity and Reviive to nutritional supplements like Nutrifii to Ariix-branded notebooks that are sold online as well as by the company’s sales representatives.
Ariix operates in more than 20 different countries including the United States, Canada, Australia, Japan, the United Kingdom, and the European Union. Recently, Ariix has entered the Italian market, where the original owners of the vast majority of the documents stored in the unsecured bucket appear to originate from.
Who had access?
At the moment, it is unclear if any bad actors have accessed the Ariix Italia S3 data bucket. With that said, the confirmed data goes back at least several months. During this period, the bucket could have been accessed by anyone, as long as they knew where to look.
Therefore, as a precaution, Ariix Italia customers and sales representatives who have provided the company with their personal information should verify that their identities have not been used to commit fraud or other illegal activities.
What’s the impact?
All of the document scans found in the unprotected Ariix data bucket are deeply sensitive, and most of them are more than enough for an attacker to put up the victims’ identities for sale on the black markets of the dark web or simply steal their money from credit cards.
Once acquired, the personally identifiable data that belongs to more than 30,000 people whose documents are stored in the bucket can be used to:
- Mount convincing phishing attacks
- Launch targeted phone and email spam campaigns
- Take out loans and credit cards in victims’ names
- Steal money
- Buy illicit goods with victims’ credit cards
- Use the victims’ health insurance
- Brute-force online account passwords
What to do if you have been affected?
Apart from activating fraud alert on their bank accounts, customers and sales representatives who have provided Ariix Italia with document scans or signed any contracts with the company should do the following in case of any suspicious activity of fraud:
- Report identity theft to law enforcement
- Notify their creditors, banks and other financial services of possible identity theft or credit card theft as soon as possible
- Review and regularly monitor recent activities on their online accounts for suspicious emails, messages, and requests
- Replace their national IDs, credit cards, and medical insurance cards
We identified Ariix as the owner of the database and notified the company about the leak on May 28, 2020. However, we received no answer.
On June 1, we reported the unsecured bucket to Amazon. After providing the AWS Trust & Safety team with more information on June 5, they were able to disable unauthorized access to the bucket on the same day.