Data Breach at North American Service Center, a UAE Immigration Consultant, exposes confidential identification documents of clients

A misconfigured ElasticSearch server run by North American Services Center, an immigration consulting agency located in the United Arab Emirates, has lead to the exposure of confidential documents such as Passports, Visas, Birth Certificates, Academic records, and Video taped interviews. The level of Personally Identifiible Information exposed could easily lead to fraud and identify theft for the clients of NASC

During a routine test of a database profiling tool, I came across an exposed ElasticSearch server which was indexing the CRM notes and communications between a UAE based immigration company and it's clients. The data exposed in the communications are categorized as follows:
  • Emails to/from Clients ( Approx 18,000 unique email addresses)
  • Links to Cloud Storage files that clients have submitted to NASC
  • Client Login Credentials to the NASC document managment portal
  • Login Credentials to 3rd party sites related to immigration to Canada
After reviewing several sample messages, and links to cloud documents I was able to confirm access to the following types of documents for various clients of NASC:
  • Full Client/Family Information
    • Name
    • Address
    • Emails
    • Phone
  • Copies of Documents required for Immigration Applicaiton
    • Passports
    • Birth certificates
    • Employment History
    • Education History and IELTS reports
  • Immigration Approval letters
  • Immigration Interview Videos
  • Immigration Consulting Retainer Agreements
Based on the level of PII being exposed and the risk to it's clients, an email was sent out to NASC to notify them of the Data Breach. After 48 hours with no response back from NASC, an email was sent out to the UACert, and Canadian Cyber Security Centre, teams to ensure that the appropriate actions would be taken to notify NASC, and it's clients in the UAE and Canada of the Data Breach.

Sample redacted documents: