In 2021, Securitas, a multinational security company based in Sweden, suffered a severe data breach exposing 1.5 million files, including sensitive personal and company information.
According to SafetyDetectives Cybersecurity Team, “One of the company’s Amazon S3 buckets was left open, exposing over 1 million files,” or about 3TB of data. The compromised data included employee personal identifiable information (PII) and sensitive company data of “at least four airports in Colombia and Peru:
SafetyDetectives says, "TSecuritas left its Amazon S3 bucket open and accessible, without any authentication procedures in place." Subsequently, airport employees' PII and other sensitive business data were not protected.
The leaked files included images of employee ID cards, images of airplanes, and even GPS coordinates and device data embedded in photo files, and logistical information like "photos of fueling lines, luggage loading, and aircraft operations."
Moreover, the breach, which affected airports in Colombia and Peru, could have also impacted additional clients and employees across Latin America and beyond.
The exposed information ranged from images of airport security staff ID cards to unmarked photos of airport operations, including "photos of employees, photos of planes, photos of fueling lines, and photos of luggage being loaded/unloaded."
Additionally, the images carried Exchangeable Image File Format (EXIF) data, which included sensitive metadata like "device models (of the cameras used), GPS locations of photos, time, and date."
If misused by malicious actors, this data exposure could be “extremely dangerous with potentially devastating consequences..."
The impact of the data breach could have been catastrophic if exploited by cybercriminals. The exposed data from the S3 bucket threatened the privacy of airport employees and their security.
The leaked ID photos could enable criminals to impersonate legitimate airport staff, gaining unauthorized access to restricted areas like luggage-loading zones or planes. The exposure also included mobile apps used by Securitas security personnel, which, though not directly linked to sensitive data, could help criminals get further insight into security protocols, potentially using these details to create counterfeit IDs and access restricted areas or even conduct physical attacks on airport staff.
SafetyDetectives noted that the company’s failure to secure its cloud infrastructure could violate several data protection regulations, including those enforced by the Autoridad Nacional de Protección de Datos Personales (ANPDP) in Peru and the Superintendent of Industry and Commerce (SIC) in Colombia.
The ANPDP could impose fines ranging from US$61,000 to US$122,000, and the SIC could levy penalties of up to US$400,000 for breaches of data protection laws.
If the data breach had occurred in the U.S., Securitas would face severe legal and financial penalties under multiple federal and state data protection laws. For example:
When combining these regulatory fines, class-action settlements, and costs for remediation and compliance, the total legal and financial impact could easily reach tens or even hundreds of millions of dollars.
Related: Higher HIPAA penalties announced
Integrating a HIPAA compliant storage solution could have helped prevent the exposure of sensitive data. Solutions like Dropbox Business or Google Workspace Business Plans provide the necessary security features, including encryption, access controls, and audit trails, so files remain protected even in a shared environment. These tools also help prevent unauthorized access and create a clear record of who interacts with the data.
While the data leak involved employees and clients from the aviation sector, it could have impacted other industries, as Securitas provides security services to a wide range of sectors.
So, companies that handle sensitive data (whether for government agencies, private companies, or large infrastructure providers) must improve their data protection measures.
Companies must have incident response protocols and immediately respond to data breaches to prevent the worst outcomes.
The exposed EXIF data in the photos, including GPS coordinates and device information, increases the risk of a breach when storing images, especially when the meta-information could be used to plan targeted attacks or gain insights into sensitive operations.
Companies must comply with local and international data protection laws to avoid legal ramifications.
Employees and security teams must undergo regular education on the risks of improper data handling and the steps they can take to mitigate them.
Airports are not typically subject to HIPAA, but healthcare providers or vendors working at airports may be. In that case, they must sign a business associate agreement (BAA) with the HIPAA-covered entity.
Read also: When is a non-healthcare company a covered entity?
The Department of Health and Human Services (HHS) enforces HIPAA penalties. The HHS assesses the severity of penalties and adjusts for inflation to make sure they stay in force over time.
Go deeper: Who is responsible for enforcing HIPAA?
HIPAA requires covered entities to safeguard patients’ protected health information (PHI) from unauthorized access or disclosure, ultimately securing electronic health data.