The Scenario
Your Mission, Should You Choose to Accept it…
You are an IT security professional at a university hospital and have been asked by HR to help them investigate a potential situation. A disgruntled database administrator who was fired for granting himself unauthorized access to various administrative databases told his exit interviewer (in French, of course), “It’s too late, you’re going to be on the news. Good luck finding that needle in the haystack before the Internet does.”
You and your peers take this to mean that he has intentionally exposed sensitive information to the Internet, and you are tasked with finding it. Based on the former employee’s access logs, it appears that he was accessing records that could be used to steal identities.
Starting with Amazon S3
Your organization uses Amazon S3 to share research data with other universities and the government, and you suspect this may be where he stashed the data since these buckets are publicly accessible. While this is the first place management wants you to look, email, SharePoint, OneDrive, and other places will be next, so whatever strategy you use should be reusable for all of these exfiltration vectors.
The Haystack
Below is a sample of the kind of data that is normally stored in your S3 bucket. There will be about 100 such files which make up a fictitious dataset of medical diagnoses and treatments approved by an insurance company or government agency. Note that this data has been anonymized by the university and can be shared publicly. Unfortunately, this means that any sensitive data placed among this data will also be accessible publicly.
Diagnosis,TreatmentID,Provider,TreatmentType,TreatmentName,ApprovalCode,ReviewDate
Giggleheelphobia,QGY5708980HCLP71,Chuckle Clinics LLC,therapy,Miracle Mend Capsules,427996-9512,05/25
Bumbleforeheadalgia,HXGCU165798999XG36L2J2,UK Wellness LLP,pharmaceutical,Albuterol,409189002602,04/26
Noodleeyebrowopathy,JAFH4OV753588480IR06,JollyRx Associates,device,Ribosome Infusion,9881380168743,08/25
Jollytummystasis,6A7BY61179HDV18DBBK,CCX Corp,pharmaceutical,Albuterol,726-375-26957691,07/25
Bumblebrainopathy,6GP0E22520283R60D,JollyRx Associates,device,FocusForte Drops,444-70829600589,05/25
Squiggleelbowstasis,J5603721034S,BellyLaugh Biotech,device,Amlodipine,1265-26417993-15034,04/26
Wobblewristsclerosis,3HQ0I7557764AWC,Mirthful Medicine Inc.,therapy,Dermaline,5354785-01078,10/26
Gigglebellytrophy,AAYMQ0008004S4HP3ODG,Joyful Jabs Pharmaceuticals,therapy,EnerGize Formula,7295781-64791,05/26
Snickercheeklysis,1CHM1233ZR,Chuckle Clinics LLC,therapy,Dermaline,40296103166,06/26
Snickerchinmania,J7T185018YJV889,Jackson Health,device,SleepEase Inhaler,0821-4663506,11/26
Funkyheelsclerosis,X7L358606K144NJ,GrinGrain Organics,therapy,Omeprazole,277-066780601,11/26
Zippynosephobia,IEUKN292688STYDGH,French Medical Research SA,device,MemoryMax Tablets,741562379251,02/25
Gigglechinitis,2ILVD8206U88D,Euphoria Elixir Enterprises,pharmaceutical,VigorVital Tonic,5452-646146,01/26
Fluffychinplasia,NX4O5ML84264K2TJ,French Medical Research SA,pharmaceutical,Rejuvenate Rx Cream,88989967949987,06/25
Wobblechinmegaly,LHQUT2328430EB86N,Euphoria Elixir Enterprises,pharmaceutical,EnerGize Formula,989009066-9902875,02/26
Your Mission
Your mission, should you choose to accept it, is to find personal and/or payment information hidden among the public research data in Amazon S3 before it is stolen.