A data breach at a German travel tracking software firm, Lost & Found, has potentially exposed the personal information of over 800,000 customers. Security researcher Jeremiah Fowler discovered a publicly accessible dataset containing 820,750 records totaling 122GB. This compromised data included sensitive information from 14 databases, 10 of which were completely open to the public.
Details of the Data Breach at Lost & Found
The exposed data encompassed a wide range of sensitive information. This included shipping labels, lost item reports, and screenshots of lost items. These items ranged from personal electronics and wallets to bags and medical devices—common personal effects travelers carry on flights.
More alarmingly, the breach also exposed personally identifiable information (PII). This included passport scans, driver’s licenses, and employment documents. Fowler speculates that this PII may have been uploaded by airport staff or used in claims to identify lost items.
“A dataset containing 820,750 records totaling 122GB has been discovered online, most likely belonging to German tracking software firm Lost & Found, which primarily services the aviation industry,” Fowler stated.
The Risks and Impact
The exposure of this data presents significant risks to affected individuals. The primary concern is identity theft. Criminals could use the stolen passport and driver’s license scans to apply for loans, credit cards, or open bank accounts.
Following the disclosure, the databases were secured within hours. However, the duration of the exposure and whether threat actors accessed the information remain unknown. This uncertainty leaves those affected vulnerable to various cybercrimes.
“Since there is a possibility that the information was accessed by threat actors, this leaves anyone exposed in the breach at risk. Since IDs and passports were included, this means the primary risk is identity theft, as criminals could use these scans to apply for loans, credit cards, or bank accounts,” the TechRadar warns.
Recommendations for Affected Individuals
To mitigate the risks, individuals concerned about potential exposure should take the following precautions:
- Closely monitor their accounts, transactions, and statements.
- Immediately report any suspicious activity to their bank or financial institution.
- Remain vigilant against social engineering attacks and carefully scrutinize any unexpected communications from unknown sources, particularly those requesting immediate action.
The Ongoing Investigation
It’s currently unclear whether Lost & Found directly owned and managed the databases or if a third-party contractor was responsible. The investigation into the breach is ongoing. This includes determining the extent of the data compromise and identifying the responsible parties.
The incident highlights the critical need for robust data security measures across all sectors, especially those handling sensitive personal information.
Similar incidents like the recent Freddie Mac Data Breach, where Social Security numbers were compromised, underscore the pervasive nature of these threats.
Helpful Reads:
Learn more about protecting your enterprise from such attacks by reading our articles.
