Global Document Translation Service Exposed Highly Sensitive Records Online
Recently, security researcher Jeremiah Fowler discovered and reported to WebsitePlanet a non-password protected database containing more than 25k records. The publicly exposed documents included highly sensitive files, which contained personally identifiable information (PII).
The unsecured database contained internal screenshots of source code as well as customer documents that were stored in uploads folders. These documents include: US Federal and State tax filings, passports, driver licenses, birth and marriage records, business documents, denied visa petitions, among other files from customers around the world. Upon further research, there were references and invoices linked to a NYC-based translation service provider, Kings of Translation. The company offers translation services and claims to have locations in the UK and Latvia. The database contained a total of 25,601 records. Kings of Translation purportedly used its own technology to let customers upload their documents and pay for the order automatically. I immediately sent a responsible disclosure notice to Kings of Translation. Despite receiving no response, I noted that public access to the database was restricted the following day.
People usually don’t consider how paper documents offline can become an online data risk, but this discovery proves that even those documents can be compromised. In my years as a security researcher, I have seen all types of documents and data breaches from a wide range of industries, organizations, and businesses, and this is the first time I have found the data of a translation service and its customers. However, I have never seen such a wide range of documents in a single database before. Some businesses handle more sensitive records than others, and usually the documents they collect and store are related to their specific business or industry. Documents that need to be translated are often of significant importance and may be required by foreign governments or educational institutions, or for acquiring crucial records such as birth, mariage, divorce, death certificates, among others.
Document translations are important and often required. Based on the nature of the exposed documents in the database, I was able to outline some of the reasons individuals would need translation services. Companies often need to translate contracts, agreements, or financial statements. Partners, clients, and customers in different countries need documents to be available in a language they can understand.
Additionally, there are legal documents, such as contracts, court documents, certificates that need to be translated to ensure accurate understanding and compliance with legal requirements in different jurisdictions. Governments also require translations for various purposes, including immigration and visa applications, issuance of passports, birth and marriage certificates, driver’s licenses, or education credentials, as well as for official correspondence with individuals or entities in other countries.
The potential risk that comes with the exposure of sensitive translation documents due to a data breach are wide ranging. Exposed tax records, passports, and identification documents may potentially put individuals at risk of identity theft or tax fraud. It is conceivable that criminals could use these documents to file false tax returns and try to claim a refund or obtain credit in the victim’s name. Another potential risk would be criminals intercepting government documents or business trade secrets that were translated or in the process of translation. This would potentially leave the victim liable for any debts, penalties, or fees. Exposed correspondence or business letters could leak classified or private information.
We are not implying any wrongdoing by Kings of Translation or suggesting that their customers’ data was accessed by malicious actors. Any statements made about individuals or organizations are included to provide context, not to allege misconduct. We are only identifying what the publicly exposed database contained and providing information about potential real-world risks. It is unknown how long these records were exposed online prior to public access being restricted. Furthermore, I have not received a response from anyone at Kings of Translation to date. Companies that collect and store data must take every possible step to secure customer documents; for instance, they could implement firewall restrictions and encrypt sensitive documents.