Physical security biz exposes 1.2M files via unprotected database – Source: go.theregister.com

Exclusive A UK-based physical security business let its guard down, exposing nearly 1.3 million documents via a public-facing database, according to an infosec researcher.

A researcher says they stumbled upon a trove of data belonging to Amberstone Security, which included thousands of pictures of its guards as well as pictures of individuals suspected of offenses including shoplifting.

In total, 1,274,086 documents were exposed to the internet via a misconfigured database for an unknown length of time, we’re told. It’s unclear if the data had ever been accessed by anyone with malicious intent.

Amberstone Security offers surveillance, access control, and merchandise-protection products and services, as well as guards on 24-hour duty to customers.

Among the exposed data, which dates back to 2017, was a folder containing 99,151 snapshots of guards checking in for their shifts, either by using a picture of themselves, their ID cards, or both. The pictures taken of the ID cards displayed basic information such as their name, headshot, and the card’s expiry date. In rare cases, it showed their signature too.

The ID cards were also issued by the Security Industry Authority (SIA), the UK’s regulator for the private security industry. The cards do not have any biometric technology built into them and are basic, plastic ID cards that hypothetically could be fairly easily duped and abused.

Speaking to The Register, researcher Jeremiah Fowler, claimed the SIA told him there are plans to introduce biometry to the cards in the near future. However, there is no specific date for this.

“The exposure of SIA identification documents could pose a serious potential threat to public safety, personal privacy, and the integrity of security operations if misused by unauthorized individuals,” said Fowler.

“One hypothetical example of a risk scenario would be if criminals used the exposed information such as the guard’s names, photographs, and license numbers to impersonate security personnel or gain unauthorized access to a secure facility for criminal purposes. This could potentially lead to a physical security breach, theft, vandalism, or – as a worst-case scenario – acts of terrorism.”

Exposing a database in any case would present obvious privacy risks, and these are amplified if the exposed data ties an individual to a suspected crime, which was the case in this incident.

Fowler says the documents found in the exposed database showed images of suspected offenders either seemingly caught in the act via CCTV or photographed by security personnel afterward. Many images clearly depicted the suspects and were captioned with information such as their name, date of birth, and nature of their alleged offense.

In some cases, detailed descriptions of how a suspect operates were found, said Fowler. One man and his associates were known to frequent the Lakeside and Stratford shopping centers in the south east of England, for example, and apparently had a particular penchant for high-value men’s suits.

The description contained details about how suspected offenders got away with the thefts, mentioning that they later return to the store and target young staff to complete a confusing process to obtain a cash refund on the stolen goods.

Similarly, spreadsheets were also filled with information about offenses, how they were committed, and whether violence was used or not.

• UK’s Investigatory Powers Bill to become law despite tech world opposition
• Exposed: Chinese smartphone farms that run thousands of barebones mobes to do crime
• Amazon Ring sounds death knell for surveillance as a service
• UK policing minister urges doubling down on face-scanning tech

Swift response

A day after being alerted to the exposed database, Amberstone Security revoked public access to the database and informed Fowler that the blunder may have been caused by a third party.

“Thank you for bringing this to our attention, this is deeply concerning. I am investigating this with the supplier who developed and hosts the platform,” a company rep told the researcher. “Please rest assured that we take data security seriously, and this will be investigated thoroughly.”

The Register contacted Amberstone for a response and a spokesperson for parent company Argenbright Security Europe said: “Amberstone were made aware of a server configuration issue and immediately contained any risks. We have acted accordingly and in line with our regulatory obligations.”

The identity of the third-party contractor was not specified by Amberstone Security. ®