The Scenario

Your Mission, Should You Choose to Accept it…

Mission Impossible Mission Impossible

You are an IT security professional at a university hospital and are asked by HR to help them investigate a potential situation. A disgruntled database administrator who was fired for granting himself unauthorized access into various administrative databases told his exit interviewer (in French, of course), “It’s too late, you’re going to be on the news. Good luck finding that needle in the haystack before the Internet does.”

You and your peers take this to mean that he has intentionally exposed sensitive information to the Internet and you are tasked with finding it. Based on the former employee’s access logs it appears that he was accessing records that would be used to steal identities.

Starting with Amazon S3

Your organization uses Amazon S3 to share research data with other universities and the govement and you suspect this may be where he stashed the data since these buckets are publicly accessible. While this is the first place management wants you to look, email, Sharepoint, OneDrive and other places will be next so whatever strategy you use should be reusable for all of these exfiltration vectors.

The Haystack

Below is a sample of the kind of data that is normally stored in your S3 bucket. There will be about 100 such files which make up a fictitous dataset of medical diagnoses and treatments approved by an insurance company or goverment agency. Note that these data have been anonymized by the university and can be shared publicly. Unfortunately this means that any sensitive data places among these data will also be accessible publicly.

Diagnosis,TreatmentID,Provider,TreatmentType,TreatmentName,ApprovalCode,ReviewDate
Giggleheelphobia,QGY5708980HCLP71,Chuckle Clinics LLC,therapy,Miracle Mend Capsules,427996-9512,05/25
Bumbleforeheadalgia,HXGCU165798999XG36L2J2,UK Wellness LLP,pharmaceutical,Albuterol,409189002602,04/26
Noodleeyebrowopathy,JAFH4OV753588480IR06,JollyRx Associates,device,Ribosome Infusion,9881380168743,08/25
Jollytummystasis,6A7BY61179HDV18DBBK,CCX Corp,pharmaceutical,Albuterol,726-375-26957691,07/25
Bumblebrainopathy,6GP0E22520283R60D,JollyRx Associates,device,FocusForte Drops,444-70829600589,05/25
Squiggleelbowstasis,J5603721034S,BellyLaugh Biotech,device,Amlodipine,1265-26417993-15034,04/26
Wobblewristsclerosis,3HQ0I7557764AWC,Mirthful Medicine Inc.,therapy,Dermaline,5354785-01078,10/26
Gigglebellytrophy,AAYMQ0008004S4HP3ODG,Joyful Jabs Pharmaceuticals,therapy,EnerGize Formula,7295781-64791,05/26
Snickercheeklysis,1CHM1233ZR,Chuckle Clinics LLC,therapy,Dermaline,40296103166,06/26
Snickerchinmania,J7T185018YJV889,Jackson Health,device,SleepEase Inhaler,0821-4663506,11/26
Funkyheelsclerosis,X7L358606K144NJ,GrinGrain Organics,therapy,Omeprazole,277-066780601,11/26
Zippynosephobia,IEUKN292688STYDGH,French Medical Research SA,device,MemoryMax Tablets,741562379251,02/25
Gigglechinitis,2ILVD8206U88D,Euphoria Elixir Enterprises,pharmaceutical,VigorVital Tonic,5452-646146,01/26
Fluffychinplasia,NX4O5ML84264K2TJ,French Medical Research SA,pharmaceutical,Rejuvenate Rx Cream,88989967949987,06/25
Wobblechinmegaly,LHQUT2328430EB86N,Euphoria Elixir Enterprises,pharmaceutical,EnerGize Formula,989009066-9902875,02/26

Your Mission

Your mission, should you choose to accept it, is to find personal and/or payment information hidden among the public research data in Amazon S3 before it is stolen.