Lantum S3 bucket leak is prescription for chaos for thousands of UK doctors
A UK agency for freelance doctors has potentially exposed personal details relating to 3,200 individuals via unsecured S3 buckets, which one expert said could be used to launch ID theft attacks or blackmail.
Lantum, an online locum doctor agency, had left the storage accessible on its old backend system, Network Locum, according to researchers. Cybernews discovered the Amazon AWS S3 bucket, potentially exposing 98,000 files relating to thousands of individuals.
The security analysis company monitors various cloud blob storage to understand the potential for misconfiguration. In the process, it discovered the Lantum S3 bucket, which was accessible and indexed on some IoT search engines. The analysts said any malicious actor could have found the repository of personal data relating to the 2014-2016 period.
“We then tried to contact Lantum multiple times with no response. We have asked for NCSC help and were advised to report it to NHS too. However, after multiple attempts, we received no response,” the researchers said. The bucket was closed almost immediately after the publication.
Files contain personal information of general practitioners using its services, including passport details, national insurance numbers, resumes, medical documents, professional certificates, payroll details and invoices. Lantum told Cybernews it complied with security standard ISO27001 and had been audited. ISO27001 covers controls that guide data storage.
The Register has offered Lantum the opportunity to comment. According to a statement given to doctors’ news site Pulse, a spokesperson for Lantum said: “While this data may have been accessible to unauthorised individuals, there is currently no indication that data has been accessed and no reason to suspect that this is the case.
“We are, however, treating this matter as a potential data breach and will continue to liaise with any individuals who may be affected should more information be revealed by our investigations.”
But one doctor with tech expertise was not reassured.
Dr Marcus Baw, immediate past chair of Royal College of GPs Health Informatics Group, said the accessible information was personally sensitive and could leave affected doctors exposed. “Those are the kinds of details you would pick if you wanted to be in a very strong position to create a fake identity,” he said.
As well as ID theft, there was a danger of blackmail as the records include details of complaints related to regulatory body the General Medical Council, many of which may be unproven or vexatious.
Baw warned it might take years for the details to resurface in the form of ID theft campaigns after the details have been traded on the dark web.
He said Lantum should be able to analyze downloads from the S3 buckets in question to asses if there had been any unusual activity, and notify the doctors affected.
“They need to admit it. They need to contact every doctor that has ever registered with them and say they are at risk and describe the magnitude of the risk. They could offer to pay underwriting companies to protect those affected against identity theft,” Baw said.
Formerly known as Network Locum, Lantum rebranded in 2017. In 2022, Lantum announced it received $15 million in funding from Finch Capital, Piton Capitol, Samos, and Cedar-Sinai Hospital. ®
READ MORE HERE