Lantum, an online agency for freelance doctors in the UK, has been found to have potentially exposed personal information of 3,200 individuals through unsecured S3 buckets on its old backend system, Network Locum.
The exposure was discovered by cybersecurity researchers who identified an accessible Amazon AWS S3 bucket containing approximately 98,000 files related to thousands of people. The files contained sensitive information, including passport details, national insurance numbers, resumes, medical documents, and more.
Despite attempts to contact Lantum about the vulnerability, the agency did not respond, and the bucket was closed only after the publication of the discovery. Dr. Marcus Baw, an expert in health informatics, expressed concern about the severity of the exposed information, emphasizing the potential for creating fake identities and the risk of blackmail.
He urged Lantum to analyze downloads from the affected S3 buckets and promptly notify affected doctors while taking responsibility for the breach.
Lantum, formerly known as Network Locum, claimed to comply with security standard ISO27001 and had been audited. The agency treated the incident as a potential data breach and stated that there was no indication of unauthorized access to the data.
However, experts warned that the exposed details could be exploited for years in identity theft campaigns after being traded on the dark web. Lantum has informed the UK’s privacy watchdog, the ICO, and has engaged specialist privacy and cyber consultants to address the situation.