I recently discovered a single publicly exposed database that was not password-protected or encrypted. Upon viewing records inside the database, it became clear that it was some type of lost and found tracking software system for the airline industry. Once I was confident I knew who the owner of the data was, I used the same name format of the exposed database and changed only the airport abbreviation based on the airports listed as customers using the software. By applying this method I was able to predict and identify a total of 14 databases. I discovered 10 databases that were publicly accessible and 4 that were restricted. The combined databases contained 820,750 records totaling 122 GB in size.
In a limited sampling of the exposed documents, I saw records and images indicating shipping labels, screenshots, reports, and lost items. These ranged from medical devices, computers, personal electronics, wallets, bags, antiques, and just about anything else you can imagine travelers taking with them on their flights. The most concerning files I saw in the database were a large number of high resolution images of identification documents such as passports, drivers licenses, employment documents, and more. It is not known if these images of identification documents were created to file claims and identify ownership of lost documents, or if these documents themselves were lost and copies were uploaded by airport staff or officials.
The chat files also contained a number of screenshots that included payment confirmations to have items returned, shipping labels, original receipts of lost products, and additional documents containing PII. The majority of the records were contained inside of folders labeled “user image and item image”.
The name of the database and the records inside it indicated that they belonged to Lost and Found Software — a German based software company that, according to their website, is designed to reduce the administrative workload, while improving service and increasing the return rate and customer satisfaction. I immediately sent a responsible disclosure notice to Lost and Found Software, and all of the identified 14 databases were restricted from public access and no longer accessible within hours of my notification.
The following day I received a reply to my responsible disclosure notice stating: “Thank you for bringing your security research to our attention. We have already taken initial steps to restrict public access to the information and are working on removing access to the specific files that were available until now”. Although the records belonged to Lost and Found Software, it is not known if the database was owned and managed directly by them or by a third-party contractor. It is also not known how long the database was exposed before I discovered it or if anyone else may have gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity.
According to Lost and Found’s LinkedIn profile, the company provides image recognition technology that enables customer service to automate the registration of found items in real time. The image recognition system automatically identifies the type, color, and location where the item was found. The system can include details such as brand, serial numbers, or information on identification documents.
×
Potential Risks
The exposure of passports, driver’s licenses, and other identification documents can provide criminals with valuable data that could hypothetically be used to commit identity fraud, open additional accounts in an individual’s name, or create counterfeit documents using the real identities or documents of travelers. Private identification data can be valued at over USD $1,000 on the dark web. The insider knowledge of specific lost items could provide criminals with enough information to launch targeted scams on individual travelers. By posing as employees of a legitimate lost and found recovery service, malicious actors could request additional personal or financial information. The traveler would have little reason to doubt that the request is not legitimate, as theoretically only the traveler, airline, and lost and found recovery service would know exactly what was lost, when, and where. As an example, if a traveler had lost a high value item (like a personal computer) and it was never found, the criminal could say “we found your computer, I am confirming your personal information, provide me with your credit card number so we can return it back to you”. Using social engineering and insider information, the odds of a successful scam increase significantly. I am not saying these individuals are at imminent risk of any targeted fraud or other scams, I am only describing a real world hypothetical scenario of how this information could potentially be used. Anyone who believes their data has been exposed should monitor their credit report and identity to ensure there is no suspicious activity and should never provide personal or financial details without verifying it is an official request via a formal communication channel. When technology companies have multiple clients and multiple databases, it can be tempting to give them uniform names out of convenience. I would highly recommend against this method because using predictable names for databases greatly increases the cybersecurity risks. As an ethical security researcher, I was able to easily guess the existence of additional databases by changing only the name of the client airport while leaving the name structure of the database intact. Cybercriminals use both manual and automated scanning for their attacks; if one database is exposed, it opens the entire network up to being targeted when names or formats are predictable. Even if one or more of the databases is secured, it is clear to the criminals what type of data is stored there and they can launch a wide range of potential attacks to gain unauthorized access. Alternatively, assigning each database a unique and independently derived name would isolate any potential data incident to a single database, as the others would not be easy to guess. I am not implying that Lost and Found Software faced these potential risks. I am only providing potential threat awareness for educational purposes as a hypothetical worst case scenario. I would recommend companies that collect and store images and documents filter them by their sensitivity. An image of a suitcase or an iPad may not be as sensitive as images of a passport or a claims form with PII, and, correspondingly, they should be treated separately based on the degree of sensitive information contained within. Once data is identified as potentially sensitive, the relevant files should be encrypted. Additionally, to limit the risks of a future data exposure, companies should:- Implement enhanced authentication measures to prevent unauthorized access to sensitive records.
- Give potentially sensitive data an expiration date, storing only necessary information for a limited time.
- Conduct regular security audits and penetration testing, which may be able to identify public exposures and additional vulnerabilities.
