A significant data breach has occurred at the Metropolitan Transportation Commission (MTC) in the San Francisco Bay Area due to a system misconfiguration. Over 26,000 files were exposed, revealing sensitive information including clients’ home addresses and vehicle license plate numbers.
Furthermore, the MTC, a government agency responsible for regional transportation planning and financing, inadvertently left public access to Amazon Web Services (AWS) buckets containing these files, as revealed in a recent investigation by Cybernews.
Among the leaked documents were PDF files containing Bay Area Rapid Transit (BART) carpool parking permits, which had been distributed via the 511.org website, an online platform providing transportation information in the Bay Area. These permits contained users’ full names, home addresses, and vehicle plate numbers, dating back to letters sent between 2016 and 2021. After being informed of the breach, researchers reached out to MTC, and the public access to the data was promptly closed.
This incident highlights the potential risks associated with data breaches, including identity theft and spear phishing attacks for affected individuals. Furthermore, there is concern about car plate cloning, a fraudulent practice where criminals swap license plates to avoid fines and penalties associated with their own plates.
Victims of such cloning scams could find themselves facing parking fines, speeding tickets, or even criminal activities associated with their names, putting them in legal jeopardy. The MTC has yet to provide an official comment on the breach, leaving questions about the scope of the incident and the steps taken to prevent future data exposures unanswered.