Sensitive data related to roughly 5.2 million arrests in the state of South Carolina were discovered exposed online last month by a California-based security company, Gizmodo has learned. A small percentage of those arrested were juveniles at the time.
A researcher at the security firm UpGuard discovered the files in an open cloud store bucket last month among multiple 14 GB databases. The tranche of data included the names of individuals charged with crimes, the alleged victims, and in some cases, the names of witnesses.
The company said a “significant number” of database entries included full names, dates of birth, phone numbers, and drivers’ license numbers.
Around 17,000 Social Security numbers were also exposed.
Most states consider juvenile law enforcement and court records to be confidential. South Carolina is among them. (A 2014 study by the Juvenile Law Center ranked the state relatively high in protecting the confidentiality of law enforcement records related to minors.)
Spartan Technology, the case management company that had been storing the data—apparently on behalf of local court officers—was reached by UpGuard in mid-November and scrambled to secure the files.
“Spartan was notified about a potential misconfiguration on one of its buckets. Upon the notice, Spartan found the misconfiguration and secured the bucket within a matter of minutes,” said Eddie Pruitt, the CEO of Spartan Technology.
Around 60 GB in full, the data appeared to relate some 26,000 individuals, UpGuard said. “Analysts confirmed the existence of entries marked as being members of the military and juveniles,” the company said.
Chris Vickery, director of cyber risk research at UpGuard, told Gizmodo by phone that Spartan Technology had reacted quickly to the news and immediately revoked the public access. That was something he felt was worth commending.
At a time when data breaches and other types of data exposure are commonplace, Vickery said he hoped any blowback faced by the company would be measured and take into account its response. In his years as a data breach hunter, he’s discovered many instances of sensitive information being improperly exposed. And not everyone responds well to the same news.
Many companies have ignored Vickery’s emails warning them about potential breaches and some have reacted with hostility. Good Samaritans in the security industry have even faced legal threats merely for attempting to get sensitive data secured.
Conversely, UpGuard said that Spartan was eager to cooperate and address the issue, something that more people should consider, Vickery said, when gauging the impact of these incidents. “This kind of active and open engagement with a security researcher should be lauded, as it speeds up response time and ultimately reduces the risk to the individuals affected,” the company said.
Pruitt said his company concluded that a previous employee had failed to follow standard procedures and secure the bucket containing the files.
“In response to this notification, Spartan has reviewed its processes and has reinforced company policy with current employees,” he said, adding that additional layers of monitoring and security had been implemented.
Correction: A previous version of this article referred to the company as “Spartan Technologies.” Its name is Spartan Technology. We regret the error.