1. Website Planet
  2. >
  3. News
  4. >
  5. Over 1.2 Million Documents, Including Security Guards and Offenders, Exposed in Data Breach
Over 1.2 Million Documents, Including Security Guards and Offenders, Exposed in Data Breach

Over 1.2 Million Documents, Including Security Guards and Offenders, Exposed in Data Breach

Jeremiah Fowler Written by:
Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password-protected database that contained over 1.2 million documents belonging to UK-based Amberstone Security Ltd, a technology and physical security services company.  

The publicly exposed database contained 1,274,086 documents with a total size of 245.3 GB. These included the PII and images of thousands of security guards, images of security credentials or license cards issued by the Security Industry Authority (SIA), incident reports, as well as names and dates of birth of theft suspects. Upon further research, it was identified that the documents belonged to Amberstone Security Ltd., a UK-based security company that provides security solutions, intelligence-led manned guarding, and loss-prevention services. I immediately sent a responsible disclosure notice to Amberstone Security, and public access to the database was restricted the following day. It is not known how long the data was exposed or if anyone else may have accessed the documents, only a comprehensive internal cyber forensic audit could identify this information. 

Amberstone Security restricted public access to the database and replied thanking me for my responsible disclosure notification. “Thank you for bringing this to our attention, this is deeply concerning. I am investigating this with the supplier who developed and hosts the platform. Please rest assured that we take data security seriously, and this will be investigated thoroughly”.

Although the records belonged to Amberstone Security, according to their statement, the database and files were managed by a third-party contractor. I did not receive any additional messages, nor did Amberstone specifically identify the name of the supplier in their response. Amberstone appears to be linked to the Argenbright Group, a privately-held family of companies that provides commercial and government security. It is not clear exactly why these documents were collected and stored. The database also contained development files regarding an application called Guarded On Duty, which was developed by ATWRK LTD. According to both the Google and Apple App Stores, the privacy policy of this application is linked to Amberstone Security. The application lets security guards log in and upload images of their badges and themselves to verify they are working their scheduled shift at a specific job location. 

I saw a folder that contained around one hundred thousand images labeled “guard pics”, consisting of: (i) images of security personnel checking in for their shifts using a photograph of themselves and often holding their security badge; and (ii) photographs of guard identification cards. The app store’s summary of security practices indicates the app does not employ encryption and that data isn’t transferred over a secure connection, suggesting that the data is potentially at risk and may be missing some fundamental security safeguards. 

The records I saw range from 2017 to 2024. The database also contained an extensive list of customers and businesses that use Amberstone Security’s services. These customers appeared to be from a diverse range of industries including retail, distribution, leisure and NTE, events and hospitality, corporate, finance, healthcare, education, government and criminal justice, agriculture, ports, and residential security.

Potential risks of exposed application files

The database also contained APK files (Android Package). Any exposed application files could pose potential security risks if malicious actors gained access to the source files. For instance, APK files may contain sensitive user data, such as login credentials, personal information, or sensitive details, which are not intended to be accessed by unauthorized individuals. Another potential risk where a cybercriminal edits or alters APK files to inject malware or malicious code. This would potentially allow attackers to access devices and the user’s personal data and files, or compromise the security of other applications installed on the device. Organizations that offer mobile applications should take additional steps to secure their source files from public access. I imply no wrongdoing by Amberstone. Application and development files should never be publicly exposed, as there could be far-reaching consequences if they were manipulated by criminals. I am not saying that there has been any unauthorized use of the exposed APK or source files. I am only providing a real-world hypothetical example of how these files could create a potential risk for users.

Potential risks of exposed license cards

Physical security is a critical industry that requires qualifications and background checks to ensure the guards are eligible and have no criminal history. Exposure of identification documents issued by the UK’s Security Industry Authority (SIA) poses significant potential security risks. In a phone call to the SIA, I inquired whether the SIA-issued security license card incorporated biometric features or was just a plastic card. I was told that, as of now, the security license card is just a plain plastic card; although there is a plan to introduce biometric features, there is no specific date of when that will be implemented. This means it could potentially be very easy to reproduce or make a counterfeit security license card without any advanced verification methods. Biometric cards would contain an embedded electronic microprocessor chip with specific information to safely verify the cardholder’s identity and the legitimacy of the license card. 

One hypothetical example of a risk scenario would be if criminals used the exposed information (such as the guard’s names, photographs, and license numbers) to impersonate security personnel or gain unauthorized access to a secure facility for criminal purposes. This could potentially lead to a physical security breach, theft, vandalism, or — as a worse-case scenario — acts of terrorism. The exposure of SIA identification documents could pose a serious potential threat to public safety, personal privacy, and the integrity of security operations if misused by unauthorized individuals. I am not saying that there is an imminent risk of any unauthorized use of security license documents or the misuse of the identities of security guards. I am only providing a real-world hypothetical scenario to explain how criminals could exploit the exposed identification documents for nefarious purposes.  

Privacy concerns for guards and alleged suspects

Security guards play a crucial role in maintaining public safety and protecting property. It is important to protect the privacy and personal safety of individuals working as security guards. Any data incident that exposes sensitive information such as names, security license numbers, and profile pictures could potentially compromise the guards’ personal privacy or make them a target for harassment by criminals who may seek retribution. Unauthorized use of a security guard’s license or identity to commit a crime or access a secure location could potentially create legal problems for the guard or undermine their ability to effectively do their job.  

The documentation of alleged theft suspects including images of their faces and personal information raises significant privacy concerns. I saw numerous photographs of theft suspects that contained personal details such as names, dates of birth, and details about their potential crimes. It is not known if these individuals have been arrested, charged with a crime, or have any type of criminal record or conviction by a court for the alleged crimes described in the documents I saw. From a privacy standpoint, the practice of collecting and storing of the images and PII of alleged theft suspects may lead to unwarranted surveillance, stigmatization, and potential discrimination against individuals who may be falsely accused or wrongly identified. From the perspective of the security guards, it is important and valuable to know who is a potential threat or theft suspect. No matter what the reason is to collect and store this information about alleged suspects, it should never be publicly exposed. I am not saying that guards or alleged theft suspects are at imminent risk. I am only providing hypothetical real-world scenarios and raising the issue of potential privacy concerns.

In an increasingly digital world, it is important for providers of offline human operations — like Amberstone Security Services — to take proactive measures to protect their data and the personally identifiable information (PII) of their employees. We have reached the point where real-world services (such as providing physical security) now depend on technology and data for tracking, monitoring, and efficiency. This makes it even more urgent that offline businesses invest in cybersecurity to safeguard the sensitive data they collect and store. I highly recommend that all companies conduct regular security audits and assessments. Taking a proactive approach to data protection can help identify and address vulnerabilities in the organization’s systems, network, or storage repository. 

As an ethical security researcher, I never download or extract the data I discover despite it being publicly accessible. I manually review a limited sample and take screenshots for verification purposes. I imply no wrongdoing by Amberstone Security Ltd. or the unidentified third-party contractor who managed the database, nor do I claim that the data of guards, alleged suspects, or others was ever at risk. The duration of the data exposure and the identities of any other parties who may have accessed the documents remain uncertain, and only an internal investigation could review this information. I publish my findings for educational purposes and to bring attention to potential cyber security risks. 

Rate this Article
5.0 Voted by 2 users
You already voted! Undo
This field is required Maximal length of comment is equal 80000 chars Minimal length of comment is equal 10 chars
Any comments?
Reply
View %s replies
View %s reply
More news
Show more
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Popup final window
Share this blog post with friends and co-workers right now:
1 1 1

We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.

Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!

So happy you liked it!

Share it with your friends!

1 < 1 1

Or review us on 1

3305670
50
5000
97144475