We recently discovered an unsecured Microsoft Azure Blob that contains deeply sensitive documents of more than 12,000 construction workers, including scans of passports, national IDs, birth certificates, and tax returns. The cloud storage also contains self-employment contracts that include personally identifiable information such as full names, addresses, UK national insurance numbers, and signatures.
The database appears to belong to Nohow International, a UK-based recruitment and staffing agency that provides blue- and white-collar personnel services to companies across the UK and other countries.
On December 8, we reached out to Nohow regarding the leak but received no response from the company. We then reported the leak to Microsoft CERT on December 15 and the blob was secured sometime in early January.
What data was exposed?
At the time of discovery, the unsecured Microsoft Azure Blob contained 12,464 images, PDF documents, and email messages presumably sent by the exposed workers to Nohow International.
The files include photos of national ID cards:
National insurance cards:
The Azure Blob also contained MSG files of email messages sent by construction workers to Nohow’s email address used specifically for receiving documents. The email messages include the workers’ personal and payment information, such as taxpayer reference and national insurance numbers, as well as banking details:
Who is the company behind the leak?
Nohow International is an employment agency that supplies management staff and contract labor to companies in the construction, shopfitting, and mechanical and electrical industries and has 40,000 registered operatives.
According to the Nohow website, the company operates a national database of UK residents “in order to satisfy the fast-track need of ..