Dangerous mistake: major US broadcaster exposed 1M sensitive files to public


Valley News Live, a subsidiary of America’s third-largest media network, exposed millions of resumes with personal data, ranging from home addresses to educational backgrounds.

As if applying for a job wasn’t stressful enough, applicants also risk exposing their personal details. The Cybernews research team found that Take Valley News Live, a North Dakota-based television station, exposed sensitive job seekers data to anyone on the internet.

The team surmised that the unprotected data comes from Valley News Live’s job portal, which receives up to 250,000 monthly visitors. Researchers claim the exposed details were stored on an unprotected Amazon AWS S3 bucket.

ADVERTISEMENT
Valley News
Source: Cybernews

The bucket stored over 1.8 million files with over a million of them being job seekers' resumes. Worryingly, more than half of all exposed CVs and resumes span numerous years, covering a period ranging from 2017 to 2024.

Valley News Live is based in Fargo, North Dakota, and delivers regional news coverage for the area and the Red River Valley region. The station is owned by Gray Television, the third-largest broadcaster in the United States, which operates 180 stations nationwide.

What private data was leaked:

  • Full names
  • Phone numbers
  • Email addresses
  • Home addresses
  • Dates of birth
  • Nationality and places of birth
  • Social media links
  • Employment history
  • Educational background

“The exposed data includes highly sensitive personal identifiers, creating numerous attack vectors for cybercriminals, where personal information can be used to create synthetic identities or fraudulent accounts,” the team said.

Risk of identity theft

Exposing applicants’ personal details endangers their privacy, as cybercriminals could exploit leaked details for identity theft as well as targeted social engineering and phishing attacks.

ADVERTISEMENT

Phishing attacks involve cybercriminals sending deceptive messages designed to trick recipients into revealing personal information, clicking on malicious links, or downloading harmful attachments.

vilius Ernestas Naprys jurgita Konstancija Gasaityte profile
Don’t miss our latest stories on Google News

Meanwhile, with access to extensive personal information, including contact details and employment history, cybercriminals can create highly personalized and convincing phishing emails or even impersonate the victim, potentially stealing additional sensitive data and causing financial losses.

Even a leaked phone number can pose a threat as attackers may employ SIM swapping attacks, in which the attacker gains control of the victim’s phone number.

Exposed links to social media profiles add an additional layer of risk, as they are a treasure trove of personal data. Your social media profile could reveal personal information like your interests and professional connections—that could be further exploited by bad actors.

Cybernews contacted Valley News Live multiple times but received no response.

How do you protect yourself from such data leaks?

  • Restrict public access and update permissions to limit access to authorized users only
  • Review access logs to check for unauthorized access
  • Enable server-side encryption to protect stored data
  • Use AWS Key Management Service (KMS) to manage encryption keys securely
  • Implement SSL/TLS for secure data transmission
  • Follow security best practices, including regular audits, automated checks, and employee training

Disclosure timeline:

  • Leak discovered: August 31st, 2024
  • Initial disclosure: September 17th, 2024
  • CERT contacted: December 20th, 2024
ADVERTISEMENT