Misconfigured AWS Bucket Leads to Major Data Exposure of Resumes and Contact Information
The Bank Street College of Education, a renowned private New York institution, has inadvertently exposed more than 500,000 sensitive files through a misconfigured Amazon AWS S3 bucket, according to cybersecurity researchers. The leak included resumes, CVs, and detailed personal data—posing a serious risk of phishing, identity theft, and social engineering attacks.
What Data Was Exposed in the AWS Leak?
The unprotected AWS instance, discovered by the Cybernews research team, contained hundreds of thousands of files dating from 2014 to 2022, primarily comprising resumes and CVs. Each document typically included:
- Full names
- Home addresses
- Phone numbers
- Email addresses
- Educational and professional histories
These documents formed detailed personal profiles, making them valuable targets for cybercriminals seeking to conduct phishing attacks, identity fraud, or doxxing campaigns.
Sample of the leaked data. Image by Cybernews.
Researchers emphasized that such exposed records could be exploited to impersonate faculty or alumni, fabricate fake academic credentials, or breach school systems by masquerading as legitimate users.
Threat Impact: Identity Theft, Phishing, and Voice Scams
The volume and detail of the exposed data significantly increase the potential for targeted phishing attacks. Threat actors could:
- Send fraudulent job offers, mimicking employers who supposedly received the victim’s resume
- Impersonate school officials or financial institutions to request banking details or ID scans
- Use voice phishing (vishing) or SMS phishing (smishing) to trick victims into paying fake tuition fees, student loans, or background check fees
Cybersecurity analysts warned that these kinds of attacks are highly effective because they exploit trust and mimic legitimate institutional outreach.
Timeline of the Exposure
- Leak Discovered: February 21, 2025
- Initial Disclosure to Institution: February 26, 2025
- CERT Contacted: March 5, 2025
The bucket remained publicly accessible for at least a month, providing ample opportunity for automated bots and malicious actors to scan and potentially download the data.
Recommended Mitigation Steps for Cloud Security
To prevent future breaches, researchers urged Bank Street College of Education and other institutions handling personal data to adopt cloud security best practices, including:
- Restricting public access and enforcing least privilege permissions
- Reviewing and updating access control lists (ACLs)
- Monitoring AWS access logs for suspicious activity
- Enabling server-side encryption and using AWS Key Management Service (KMS)
- Enforcing SSL/TLS for secure data transmission
- Conducting regular security audits and employee training on cloud data protection
Institutional Response Pending
At the time of writing, Bank Street College of Education has not issued a public response or clarification regarding the exposure. The Cybernews team has reached out for comment and will update the disclosure when further information becomes available.
