NBC News located a trove of personal information in online file storage systems left unprotected by the companies that use them.
Cloud bucket- Jessica Arcuri, a restaurant hostess from California, was looking for some extra cash a couple of years ago when she came across a pet-sitting app called PetBacker.
The app invites pet lovers to step forward as paid short-term caretakers of dogs and cats. Based in Malaysia, it serves thousands of customers across 40 countries.
As part of the signup process, Arcuri submitted a government-issued identification document: a copy of her state driver’s license, which included her full name, home address and birthday. Security experts resoundingly agree that companies should treat personal information with the utmost of care and request IDs only for specific purposes, such as background checks. But NBC News found Arcuri’s driver’s license online with no security safeguards whatsoever. When contacted by a reporter, she was alarmed.
“I didn’t even remember that that app had my ID — that’s just crazy,” said Arcuri, 23, of Lakewood. “The fact that you were able to find it is concerning.”
Arcuri is one of the millions of people who have had their personal identifiable information exposed through online file storage systems called “cloud buckets.” The digital equivalents of safety deposit boxes, they house data placed in networks of remote servers — what’s known as the cloud.
Placing reams of data in the cloud offers companies the ability to offload their security to big firms like Google, Apple, Amazon or Microsoft. But the buckets themselves are configured not by the Googles and Apples of the world but by the companies who use their cloud networks.
As Arcuri learned the hard way, some companies are placing this sensitive information in improperly secured buckets, a potential bonanza for tech-savvy identity thieves. Cases like these, experts say, show that companies don’t need to be hacked to put customer data at risk.