Infoseccer: Private security biz let guard down, exposed 120K+ files

A London-based private security company allegedly left more than 120,000 files available online via an unsecured server, an infoseccer told The Register.

The independent security researcher claimed they had found 124,035 exposed files back in October, totalling 46.48 GB in size and containing details such as PII, payroll data, job application forms, TrustID validated documents, Security Industry Authority (SIA) cards, and more.

The researcher, whose requested term of address is JayeLTee, claimed they additionally found invoices dating back to 2005 and applications for guard jobs, complete with applicants' personal data and national insurance numbers, headshots, and details of their assignments. One example they saw was an employee induction report.

According to Assist Security's website, the company has provided services to the likes of major hospitals in the capital, national rail operators, and high-end fashion brands.

"It's hard to get the full scope of what was exactly exposed," said JayeLTee. "The server contained hundreds of directories, a lot of them related to specific individuals. 

"This included data of people who started the application process and quit or got denied eventually so some people had more data exposed than others depending on where the process stopped. People who were approved would have more exposed, that could include things such as payroll data."

Speaking to The Register, JayeLTee claimed that none of the vetting files related to guards on the company payroll were encrypted, and they said data also appeared to be stored after individuals either resigned or had their applications rejected.

JayeLTee said the data all related to a backup generated around August 2023. They discovered the exposed server on October 23, 2024, and said Assist closed the access six days later, after the researcher reported it.

There is no evidence to suggest that the server was left unprotected for any longer than that period, although Assist didn't prove otherwise using logs, per the researcher's request.

JayeLTee claimed: "The information on this server was quite sensitive and very high risk in the hands of the wrong people, and the fact that the company never asked me for any IP I used to access the data, or what I even accessed, combined with them telling me this was just the file structure made me doubt they had checked any logs."

The Register contacted Assist Security for a response to JayeLTee's report.

It said: "On receipt of information regarding the allegedly exposed files, immediate corrective action was taken. We are grateful to the ethical hacker for their diligence in bringing this matter to our attention. At the time our initial assessment determined that our corrective measures were sufficient to mitigate any risk."

It added:

It added: "We remain committed to maintaining the trust of our staff, clients and stakeholders and will take all appropriate steps based on the outcome of this ongoing investigation."

• Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days
• Encryption backdoor debate 'done and dusted,' former White House tech advisor says
• Turbulence at UN aviation agency as probe into potential data theft begins
• How Chinese insiders are stealing data scooped up by President Xi's national surveillance system

The Register has confirmed with the Information Commissioner's Office's (ICO) that the data protection watchdog has not received a report from Assist.

While Assist's unprotected data would meet the ICO's definition of a personal data breach, the watchdog does say that not every breach need necessarily be reported.

Generally speaking, notifiable breaches are ones that have a reasonable chance of affecting the data subjects' rights and freedoms. Therefore, if Assist were able to confirm internally that the files had not been accessed by a malicious third party, then the incident wouldn't necessarily have to be reported. ®