Security researchers have discovered that Doxzoo, a British document printing and binding company, has suffered a major security breach exposing personal documents of hundred of thousands of its customers.
The incident is said to have violated copyright laws and potentially released British military information. The researchers, a team from vpnMentor, uncovered a leaking S3 Bucket with more than 343GB of data’s worth of records on an Amazon server run by Doxzoo.
The company provides printing and binding services for customers worldwide, and the leak includes print jobs for many high-profile clients, including elite UK universities, US and UK military branches and Fortune 500 companies.
The breach gives access to countless copyrighted documents that could be easily downloaded and exploited, as well as names, birth dates and personal photos.
A vpnMentor spokesperson said: “Doxzoo has a handful of high-profile customers for whom they are executing a variety of print jobs, including complete scripts and screenplays, full-length books, sought-after paid wellness plans, and internal military handbooks, to name a few projects.
“They also get requests from private individuals who order family scrapbooks (complete with pictures of the kids), bachelorette souvenirs with potentially compromising photos of the bride-to-be, and more. Additionally, Doxzoo seems to regularly request full scans of photo IDs (such as passports) to fulfil orders.”
The breach was discovered by vpnMentor on the 22nd of January 2020, and the company was notified on the 26th. The leak was closed off 20 days after vpnMentor contacted Doxzoo.
This latest security breach is another in a long line of recent data leaks across the UK. Companies such as media giant Virgin and guitar tutoring site TrueFire have suffered breaches in 2020, releasing personal information of thousands of their customers for hackers to exploit.
- UK Financial Regulator Admits to Accidental Data Breach
- Almost All 2019 UK Data Breaches Were Caused By Human Error
VpnMentor said: “We were able to access Doxzoo’s S3 bucket because it was completely unsecured and unencrypted. Using a web browser, the team could access all files hosted on the database.
“The purpose of this web mapping project is to help make the internet safer for all users. As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security.
“However, these ethics also mean we also carry a responsibility to the public. This is especially true when the company’s data breach contains such a huge amount of private and sensitive information.”