An open cloud storage bucket containing private documents, linked to two Italian companies, with over 49,000 files, was discovered last July by cybersecurity researcher JayeLTee.
According to the researcher, the exposed documents were related to the companies Engled S.r.l. and Italian Gas S.r.l., which operate in the energy sector. A total of 39.46 GB of data was uploaded to the server over a period from November 2020 to the present, and for some time, these files could be freely downloaded without any authentication due to, most likely, a misconfiguration of access permissions.
JayeLTee claims that within the reviewed files, there were sensitive documents, including identification documents of private citizens who had used the services of the two companies. In his article published on his infosec.exchange page, he writes
Inside the server were all kinds of documents related to wall mounted boilers and AC installations.
I believe the documents were related to the Ecobonus program, a tax deduction program run by the Italian Gov. Most of the installations mentioned this program and had documents related to it.
I also found a website that is likely related to the contents on this server: https://www.areadealers-italiangas.com/
In his article, the researcher provides a detailed list of the quality of the documents stored in the cloud storage.
– Client ID documents
– Technicians ID documents next to the certifications they issued after the installations
– Contracts
– Authorization to handle bureaucratic tasks on behalf of the client
– Wire Transfers
– Property Inspections
– Proposals
– Questionnaires and more
He claims that at least 2,000 people, including customers and agents, were affected by the data breach.
From analysis on the amount of each document exposed here, I believe at least ~2000 people (clients and agents) had their private information exposed on this server, the real number is something only the company will be able to tell though.
On September 17, JayeLTee sent a notification email to the Italian Data Protection Authority, and ten days later, on September 27, the exposed cloud storage was no longer accessible.
On October 2, the researcher received two emails with the same content, one from Engled S.r.l. and the other from Italian Gas S.r.l. Part of the emails reads (the emails have been translated into English)…
“[…]We remind you that you have a duty to delete any documents in your possession as you are not entitled to access and/or keep the personal data contained therein.[…]”
You can read the full article and further details of this case on https://infosec.exchange/@JayeLTee/113316396745115474