Background checks maker leaks thousands of passports

Protection Plus Solutions, a background check service provider, has leaked thousands of PDF files containing individuals’ Social Security numbers, passport details, and criminal records.

While changing careers can be daunting in itself, job searchers may face unforeseen risks, such as their data leaking online. For example, on May 2nd, the Cybernews research team discovered an exposed database belonging to a platform that HR reps use to do background checks.

The team found an exposed Amazon Web Services (AWS) bucket belonging to Protection Plus Solutions with over 14,600 PDF files. While the team discovered scanned passport photos, most of the files were Social Security number (SSN) verification results, which companies use to determine the identity of individuals.

SSN verification results include sensitive personal information, such as:

  • Names and surnames
  • Dates of birth
  • SSNs
SSN data sample
Sample of the leaked data. Image by Cybernews.

Other files in the exposed bucket turned out to be reports from the Massachusetts Criminal Offender Record Information (CORI), a name-based criminal records check. The reports contain many personal details, such as:

  • Names and surnames
  • Dates of birth
  • SSNs
  • Physical details (height, eye color, weight)
  • Home addresses
  • Offense types
  • Incarceration terms
CORI data sample
Sample of the leaked data. Image by Cybernews.

Our researchers contacted the company about the leak, and the bucket was closed by the end of May. We also reached out for an official comment but have yet to receive a response.

According to the team, exposing personal information, such as SSNs and passports, could lead to identity theft. Threat actors may steal identities for unauthorized financial activities, including opening bank accounts, obtaining credit cards, and securing loans in the victim’s name.

“Data exposure can lead to a breach of privacy, as it reveals crucial pieces of personal information that should be kept confidential. For example, criminal case details may include sensitive information about victims or witnesses, whose safety could be jeopardized if their identities are revealed,” the researchers said.

To mitigate the issue and avoid similar cases in the future, the team advised the company to:

  • Apply bucket policies that restrict access to only necessary users and services
  • Use server-side encryption (SSE) with AWS-managed keys (SSE-S3) or customer-managed keys (SSE-KMS)
  • Enable S3 access logging to capture detailed records of requests made to the bucket
  • Implement lifecycle policies to manage the storage class and expiration of objects, ensuring sensitive data is archived or deleted when no longer needed
  • Perform penetration testing to uncover potential security flaws
  • Remove or secure indexed content