Oh buoy. Rich yacht bods' job agency leaves 17,000 sailors' details exposed in AWS bucket

It's 2020 and people are still letting S3 storage leak


A private yacht crew recruitment agency has left an AWS bucket containing the CVs, passports and even some drug test results for up to 17,000 people exposed to world+dog, according to reports.

Crew & Concierge – a jobs firm in Bath, England, that targets "high net worth individuals", yacht captains, and management companies searching for seafarers to crew private yachts – left an Amazon Web Services S3 bucket open to anyone and everyone for around 11 months starting in February 2019.

British news site Verdict reported that 17,379 seafarers' CVs were exposed, along with thousands of ENG1 medical certificates and passport scans.

A total of 90,000 files were exposed, it was said, including sample menus from chefs hoping to fill a billet aboard some oligarch's floating gin palace.

In a statement to Verdict, Crew & Concierge director Sara Duncan blamed "the team of developers we had hired" for the bucket being left open, saying she had trusted the devs to "do a competent job" of securing "personal and sensitive personal information relating to our registered crew".

The breach has been reported to the Information Commissioner's Office, as required by the Data Protection Act 2018.

Duncan continued, saying: "It appears likely that the individual or individuals responsible have developed advanced tools designed specifically to identify AWS customers and whether or not they have [a] misconfigured instance that may leave it open to malicious attack."

Such so-called "advanced tools" include the search engine Gray Hat Warfare, which does for AWS buckets what Shodan does for IoT devices carelessly and inappropriately left accessible by the public.

A few weeks ago Britain's Royal Yachting Association (RYA) 'fessed up to a breach of its member database circa 2015. The two incidents are not thought to be linked, in particular because the RYA identified malicious access to the database in question whereas Crew & Concierge left the door to its digital stables wide open.

The Register has asked Crew & Concierge for comment. ®

Similar topics

Narrower topics


Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022