Among the trove of exposed documents were a Florida driver’s license, a letter from a Ukrainian ambassador, and an FBI background check document.
People think that offline paper documents would never pose an online data risk. However, this is a mere assumption because the latest research suggests that compromising these documents is possible.
Website Plant‘s security researcher Jeremiah Fowler has discovered a non-password-protected database that contained over 25,000 records, all publicly exposed, including ‘highly sensitive’ documents. The database reportedly belonged to a global translation service provider, Kings of Translation.
This was revealed by Fowler to Hackread.com. It is worth noting that Kings of Translation is a New York-based company that claims to be a premium translation service provider in the country, facilitating the translation of over 120 languages.
Database Contents
Fowler’s research, published on Websiteplanet, revealed that the exposed data contained PII (personally identifiable information), internal screenshots of the source code, and customer documents stored in the uploads folder, including the following:
- Passports
- Driver licenses
- Business documents
- Denied visa petitions
- Birth and Marriage records
- US Federal and State tax filings
These files belonged to customers from across the globe. There were around 25,601 records contained in the database.
How was the Database Owner Discovered?
Fowler found invoices and references linked to the NYC-based Kings of Translation. This is how the researcher identified the database’s owner. Kings of Translation allows customers to upload documents and transfer payments through its developed technology automatically.
Fowler claims that this is the first time he has come across data from a translation service and its customers in his career. He also noted that this was the first time such versatile documents were part of a database.
Possible Security Risks
It was an alarming discovery since it involved a business that collected all sorts of documents. Usually, businesses store data related to their industry. But this case was different. Since the database belonged to a translation service, the documents were sensitive, as many of them were required by educational institutions or foreign governments.
Moreover, the documents revealed crucial personal details such as birth, marriage, divorce, death certificates, etc. Fowler also shared screenshots with Hackread.com of some of the exposed documents, which included a Florida driver’s license, a letter from a Ukrainian ambassador, and an FBI background check document.
Further, many legal documents were also part of the leak, for instance, court documents, contracts, certificates requiring translation to ensure compliance with legal requirements, and visa or immigration-related documents.
Such documents, if exposed, can make impacted people vulnerable to tax fraud or identity theft, or cybercriminals may file false tax returns, claim for a refund on behalf of the victim, or obtain credit in their name. Government documents and correspondence letters may reveal business trade secrets, leaving the victim liable for debts, fees, or penalties.
Fowler notified the company immediately, and public access to the database was restricted on the same day. The researcher couldn’t identify for how long this database had remained publicly exposed before access was restricted and has not received any response from Kings of Translation yet.