Los Angeles Times reports:
The nonprofit organization that operates Los Angeles County's social services hotline inadvertently exposed personal information that was stored online, according to county officials and a private security firm that discovered the vulnerability.
UpGuard, a cybersecurity firm based in Mountain View, Calif., said it notified the county in April that it discovered exposed Social Security numbers, addresses and sensitive notes about calls regarding mental health and abuse.
. . . .
It was not immediately clear whether any unauthorized people accessed the data, which was kept in a cloud storage repository maintained by 211 L.A. County, the nonprofit group that operates the county's 211 hotline.
. . . . .
Chris Vickery, director of UpGuard's cyberspace risk research team, said the information he discovered included names, email addresses and weakly encrypted passwords of users operating the 211 system, potentially opening them to attack. He said it was available for public download from an Amazon web server.
The data also contained records for 3.5 million calls and a substantial amount of personally identifiable information, Vickery said. That included 33,000 Social Security numbers, and in many cases full names and addresses — as well as detailed notes for 200,000 calls logged between 2010 and 2016.
In one example, the notes described an elderly woman with dementia who was allegedly being abused by her son. In another, they described a meth addict who said she was suicidal. A third example included details about a woman who suffered from paranoia and was on the verge of being evicted. The firm provided The Times with screen shots of redacted records to document its discovery.