Lantum S3 bucket leak is prescription for chaos for thousands of UK doctors

Updated A UK agency for freelance doctors has potentially exposed personal details relating to 3,200 individuals via unsecured S3 buckets, which one expert said could be used to launch ID theft attacks or blackmail.

Lantum, an online locum doctor agency, had left the storage accessible on its old backend system, Network Locum, according to researchers. Cybernews discovered the Amazon AWS S3 bucket, potentially exposing 98,000 files relating to thousands of individuals.

The security analysis company monitors various cloud blob storage to understand the potential for misconfiguration. In the process, it discovered the Lantum S3 bucket, which was accessible and indexed on some IoT search engines. The analysts said any malicious actor could have found the repository of personal data relating to the 2014-2016 period.

"We then tried to contact Lantum multiple times with no response. We have asked for NCSC help and were advised to report it to NHS too. However, after multiple attempts, we received no response," the researchers said. The bucket was closed almost immediately after the publication.

Files contain personal information of general practitioners using its services, including passport details, national insurance numbers, resumes, medical documents, professional certificates, payroll details and invoices. Lantum told Cybernews it complied with security standard ISO27001 and had been audited. ISO27001 covers controls that guide data storage.

The Register has offered Lantum the opportunity to comment. According to a statement given to doctors' news site Pulse, a spokesperson for Lantum said: "While this data may have been accessible to unauthorised individuals, there is currently no indication that data has been accessed and no reason to suspect that this is the case.

"We are, however, treating this matter as a potential data breach and will continue to liaise with any individuals who may be affected should more information be revealed by our investigations."

But one doctor with tech expertise was not reassured.

• Another security calamity for Capita: An unsecured AWS bucket
• T-Mobile US suffers second data theft within months
• McGraw Hill's S3 buckets exposed 100,000 students' grades and personal info
• AWS strains to make Simple Storage Service not so simple to screw up

Dr Marcus Baw, immediate past chair of Royal College of GPs Health Informatics Group, said the accessible information was personally sensitive and could leave affected doctors exposed. "Those are the kinds of details you would pick if you wanted to be in a very strong position to create a fake identity," he said.

As well as ID theft, there was a danger of blackmail as the records include details of complaints related to regulatory body the General Medical Council, many of which may be unproven or vexatious.

Baw warned it might take years for the details to resurface in the form of ID theft campaigns after the details have been traded on the dark web.

He said Lantum should be able to analyze downloads from the S3 buckets in question to asses if there had been any unusual activity, and notify the doctors affected.

"They need to admit it. They need to contact every doctor that has ever registered with them and say they are at risk and describe the magnitude of the risk. They could offer to pay underwriting companies to protect those affected against identity theft," Baw said.

Formerly known as Network Locum, Lantum rebranded in 2017. In 2022, Lantum announced it received $15 million in funding from Finch Capital, Piton Capitol, Samos, and Cedar-Sinai Hospital. ®

Updated to add on June 14

A Lantum spokesperson has been in touch to tell us: "We have been alerted to the existence of a potential vulnerability relating to historic data held on an old website 'Network Locum' that has been out of use since 2016. We were able to take action to ensure that the data was fully secured and made inaccessible.

"The data includes detailed personal information about healthcare professionals that have used our services in the past, and we have advised those potentially affected to take precautions to protect their identity."

They added that there was no indication the data had been accessed, but said: "We are, however, treating this matter as a potential data breach and will continue to liaise with any individuals who may be affected should more information be revealed by our investigations.

"The data in question relates to documents uploaded between 2014 and 11th September 2016.

"This data was stored on an old version of the Lantum platform 'Network Locum' that is no longer live, which Lantum migrated away from as part of an upgrade in September 2016.

"We would stress that since 2016, we have been operating on a completely different and highly secure platform, which conforms to the latest UK government approved and international security standards and undergoes regular testing."

The biz added it had informed the UK's privacy watchdog, the ICO; and brought in specialist privacy and cyber consultants.