A misconfiguration in the Metropolitan Transportation Commission (MTC) systems caused a leak of over 26K files, exposing clients’ home addresses and the plate numbers of their vehicles.
The Metropolitan Transportation Commission (MTC) is a governmental agency responsible for regional transportation planning and financing in the San Francisco Bay Area.
The latest research by Cybernews shows that the agency left public access to Amazon Web Services (AWS) buckets storing over 26,000 files.
Leaked files included PDF files with Bay Area Rapid Transit (BART) carpool parking permits sent out by the agency. The permits were obtained through the 511.org website, an online platform providing transportation information in the Bay Area.
Thousands of leaked permits exposed the users’ full names, home addresses, and car plate numbers. Our researchers found that the letters are dated between 2016 and 2021.
Researchers contacted MTC, and public access to the data was closed. Cybernews reached out to MTC for an official comment but has yet to hear back from them.
Risk of plate cloning
While the leaked parking permits are no longer valid, malicious actors could use the exposed data for identity theft and to craft spear phishing attacks.
Another potential danger involves car plate cloning. Plate cloning occurs when a criminal deliberately swaps the license plates on their vehicle with those from a “clean” vehicle. It means that a car has been driven by an individual with no record of speeding, parking violations, fines, or no criminal history.
This type of fraud could lead to parking fines, speeding tickets, or criminal activities associated with the registered owner, putting victims of the cloning scam in legal jeopardy.
If you want to know how MTC can mitigate the potential risks take a look at the original post:
About the author: Paulina Okunytė, Journalist at Cybernews
(SecurityAffairs – hacking, Metropolitan Transportation Commission )