An open Amazon Web Services S3 bucket exposed sensitive data about international students, including passport scans, visa details, and education agreements.
The collection of tens of thousands of documents appeared to include invoices, placement documents, and copies of emails received by MEGT.
Sydney-headquartered MEGT provides recruitment, group training and payroll services. The breach is believed to have related to its international student education arm.
[Update July 2: MEGT has clarified the breach is believed to have related to international student data, not apprentice.]
MEGT itself did not appear to have set up the S3 bucket; it appeared to have been employed by a third-party service provider for a migration process involving the company.
The unsecured S3 bucket was unearthed by UK privacy advocate Gareth Llewellyn.
Llewellyn told Computerworld that he alerted the Australian Signals Directorate to the breach. Public access to the bucket was closed off last week, but until recently the documents remained cached by Google.
MEGT did not respond to requests for comment.
The MEGT breach is notable both for the sensitivity of the information it appeared to contain and its scale. More than 143,000 items were in the S3 bucket.
Not all of the items are documents: some filenames indicated they were copies of software.
The documents hosted in the AWS service dated back to at least 2014.
Llewellyn in January revealed that thousands of resumes and cover letters, many of them from individuals applying for roles at First National Real Estate, had been exposed by an Australian based online psychometric assessment service.
Earlier this year, a sizeable data breach linked to an unsecured S3 bucket claimed the scalp of the chief executive of property valuation firm LandMark White (LMW).
LMW had brushed off attempts to alert it to the breach, including an effort by Llewellyn.
In the aftermath of the breach the ASX-listed company downgraded its full year revenue forecast to $43.5 million from $55 million after major clients suspended their use of its services.
Three weeks ago LMW entered its third trading halt of 2019 as it struggled with the fallout from a second breach, which involved a small number of the company’s documents being posted on a document-sharing service.
In April, an open S3 bucket led to 540 million records relating to Facebook accounts being exposed. That breach, revealed by UpGuard, was linked to Cultura Colectiva, the developer of a Facebook app.
Earlier this year the Office of the Australian Information Commissioner (OAIC) released a report assessing the first year of operations of the Notifiable Data Breaches Scheme. Although the scheme commenced in February 2018, the report focused on the first full four quarters of operation: 1 April 2018 to 31 March 2019.
During that period, the OAIC was notified of 964 eligible data breaches. Some 60 per cent of those breaches related to criminal or malicious acts (phishing, for example, was the leading cause of data breaches during the 12 months). However, the OAIC figures reveal that more than a third of the breaches related to human error, and five per cent to system faults.
Last year Amazon announced that AWS Trusted Advisor’s S3 Bucket Permissions check would be available for free to customers of its cloud service. Prior to that announcement it had been available only to AWS customers with Business and Enterprise support.