Data Breach: Millions of Senior Citizens’ Names, Emails, and Phone Numbers Compromised in Senior Care Review Website Database Breach
WizCase’s security team led by Ata Hakcil has found a major breach affecting a bucket owned by SeniorAdvisor, “one of the largest consumer ratings and reviews websites for senior care and services across the United States and Canada.” This breach compromised users’ names, surnames, phone numbers, and more. Millions of people were left vulnerable in the misconfigured bucket. There was no need for a password or login credentials to access this information, and the data was not encrypted.
SeniorAdvisor is a consumer ratings and reviews website dedicated to helping senior citizens find care options in their area. The website was started by for-profit senior care referral service A Place for Mom in 2013 and has listings for senior care options throughout the US and Canada.
Our team of ethical cyber researchers discovered a misconfigured Amazon S3 bucket belonging to SeniorAdvisor containing over 1,000,000 files and 182 GB of data. Our team reached out to the company and the bucket has since been secured.
What Data Was Leaked?
The misconfigured S3 bucket left over 3,000,000 people (named “leads” in the bucket) vulnerable exposing PIIs such as surnames, emails, phone numbers, and dates contacted. These contact dates suggest the files are from 2002 to 2013, but the files themselves were timestamped 2017. The majority of data exposed was in the form of leads, a list of potential customers whose details were collected by SeniorAdvisor presumably via their email or phone call campaigns.
In addition, our security team found around 2,000 “scrubbed” reviews. These are reviews where the user’s sensitive information has been wiped or redacted. However, this scrubbing process is useless if you have the corresponding information. The scrubbed reviews had a lead id which could be used to trace the review back to who originally wrote it. Since the lead data and these scrubbed reviews were in the same database, supposedly anonymous reviewers could have their identity revealed with a simple search operation.
For example, here’s a scrubbed review with its corresponding lead id:
Having a lead id, one could very easily find the lead and the corresponding PIIs (sensitive information redacted):
What Are the Risks and How to Protect Yourself
The greatest danger of this breach stems from the specific group of people left vulnerable. SeniorAdvisor is targeted toward senior citizens in or near retirement. In a 2018-2019 report, the FTC noted that people who filed a fraud complaint, in the ages of 60-69 lost $600 per scam on average. The amount rose as the age group was older, culminating in $1700 on average per scam for people in the ages of 80-89. In particular, the report found senior citizens were more likely to fall for digital scams such as tech support scams, prize/sweepstakes scams, online shopping scams, and especially phone scams.
Scams, Phishing, and Malware: The PIIs in the leads files could be used for a variety of scams and phishing attempts. This can include phishing emails that trick the user into inputting sensitive data into malicious websites, adding the user to a robodialer list, or emailing or calling a user masquerading as a government or bank official, to trick them into providing financial information.
Corporate Espionage: Many companies invest a lot of money to acquire leads. In this case, competitors could use the massive amount of data exposed to grow their customer base to reach potential customers.
Unfortunately, the above list is not comprehensive, and cybercriminals are always generating new methods to exploit anyone vulnerable on the Internet. As shown, senior citizens are at greater risk for online fraud than the rest of the population, and therefore should be even more careful in their online behaviour.
For future purposes, we recommend always inputting the bare minimum of information when making a purchase or setting up an online account. The less information hackers have to work with, the less vulnerable you are.
Though most email clients have methods to block spam and phishing attempts, they are not 100% effective. When receiving an unexpected email from a seemingly trustworthy source, do not open any attachments. Phishing emails often use scare tactics to force users to open the attachment. If you are ever unsure about an email from a trustworthy company, give them a call. This will usually let you verify whether the attachment is legitimate or not. A good antivirus program can also aid in protection from malware, trojans, and other dangers.
In cases of potential corporate espionage, companies should warn their clients of the breach as soon as possible to ensure their clients’ vigilance and safety.
Why Should I Trust WizCase?
WizCase is a widely popular web security platform offering advice and tips for thousands of readers every week. Translated into over 30 languages, our website has gained the trust of a wide number of people worldwide. Our team regularly discovers new data breaches across the internet and contacts the companies responsible for them prior to publishing any reports. We have found leaks and breaches affecting many different companies from news websites, to popular dating apps, and to the medical industry. Together, we’re working hard towards creating a safer online environment for everyone.