When luggage goes missing or lost, it’s not just an inconvenience – it could be a gateway for cybercriminals to steal your identity. Recently, fourteen publicly exposed databases were found online containing 820,750 sensitive records and personal data totalling 122GB in size.
“I recently discovered a single publicly exposed database that was not password-protected or encrypted. Upon viewing records inside the database, it became clear that it was some type of lost and found tracking software system for the airline industry,” writes cybersecurity researcher Jeremiah Fowler, who first discovered the databases and reported to Website Planet. The open databases contained details on lost airport items – including medical devices, computers, personal electronics, wallets, bags, and antiques – along with personally identifiable information about their owners.
The instance was linked to Lost and Found Software, which is managed by a German company and used by multiple airports across the US, Canada, and Europe to manage lost luggage with an automated item recognition system.
What data was leaked?
- Screenshots of payment confirmations of returned items, shipping labels, original receipts of lost products, and additional documents containing personally identifiable information (PII)
Reports - Images and details of lost items
- Return addresses
- High-resolution images of documents: passports, driver’s licenses, and employment documents
The researcher was not able to identify for how long the databases remained accessible to anyone on the internet. It remains unknown if any threat actors have also accessed the databases.
“I immediately sent a responsible disclosure notice to Lost and Found Software, and all of the identified 14 databases were restricted from public access and no longer accessible within hours of my notification,” stated Fowler. The company responded to the disclosure and secured the access to the databases.
Luggage owners are at risk of identity theft
Exposed passports, driver’s licenses, and other IDs can give criminals the data needed for identity fraud, opening accounts in someone’s name, or forging documents using real traveller information. On the dark web, such private identification data can be worth over 1,000 euro.
Insider knowledge of lost items could also help scammers target travellers with sophisticated phishing campaigns. Posing as lost and found employees, they could trick victims into providing more personal or financial details.
Since only the traveler, airline, and lost and found service should know what was lost, when, and where, the request would seem completely legitimate.
How to prevent such data leaks?
The data leak highlights the importance of encrypting sensitive data and implementing enhanced authentication measures. Fowler warns that technology companies with numerous clients and multiple databases can feel tempted to give them uniform names out of convenience. However, using predictable names for databases greatly increases the cybersecurity risks
“As an ethical security researcher, I was able to easily guess the existence of additional databases by changing only the name of the client airport while leaving the name structure of the database intact.”
Cybercriminals use both manual and automated scanning to find vulnerabilities. If one database is exposed, a predictable name or format can put the entire network at risk.
“Even if one or more of the databases is secured, it is clear to the criminals what type of data is stored there, and they can launch a wide range of potential attacks to gain unauthorized access,” explains the researcher.
