Exposed in Transit: Nearly 1 Million Records Exposed in Airport Lost-and-Found Database

Cybersecurity researcher Jeremiah Fowler recently discovered a publicly exposed database with 820,750 records belonging to a Germany-based company (Lost and Found Software) that offers tracking and return services for misplaced items in airports across the United States, Canada, and Europe.

The exposed data was spread among 10 non-password-protected databases, totaling 122 GB of data containing:

• High-resolution images of identification documents such as passports and driver’s licenses.
• Payment confirmations for returning lost items, original receipts, and additional documents containing PII.
• Screenshots of shipping labels and personal correspondences, all stored in folders labeled “user image and item image.”

“In a limited sampling of the exposed documents, I saw records and images indicating shipping labels, screenshots, reports, and lost items,” Fowler explained. “These ranged from medical devices, computers, personal electronics, wallets, bags, antiques, and just about anything else you can imagine travelers taking with them on their flights. The most concerning files I saw in the database were a large number of high resolution images of identification documents such as passports, drivers licenses, employment documents, and more.”

It's unclear whether these documents were lost items themselves or if airport staff uploaded them while verifying travelers’ claims. Either way, they were highly sensitive records available to access in the public domain.

Fowler contacted the company, and the databases were soon secured. It remains unknown how long the data had remained exposed or whether unauthorized parties accessed it before it was secured.

Potential Risks and Safety Measures

Although the researcher clearly noted that there is no evidence suggesting immediate or actual misuse of the exposed data, travelers should take proactive security measures and familiarize themselves with potential risks, including:

·         Identity Theft: Threat actors can use travelers’ passports, driver’s licenses, and other identification documents to open new accounts, create counterfeit documentation, or resell the data on the dark web.

·         Targeted Scams: With detailed knowledge of specific lost items, scammers can easily pose as legitimate lost-and-found representatives, tricking travelers into handing over additional personal or financial information. For example, if someone lost a high-value laptop, a scammer could claim it was found and request a credit card number to “return” it.

It’s prudent for anyone who believes their personal data may have been compromised to:

1. Monitor their credit reports and financial statements, looking for unusual activity or new account openings you did not authorize.
2. Always verify requests for Information. If you receive suspicious emails, phone calls, or messages from “airline” or “lost and found” sources, verify their legitimacy through official channels before providing personal or financial details.

Use identity protection services: Digital Identity Protection from Bitdefender can help you monitor your online footprint, providing real-time alerts if your personal information surfaces on the dark web or in compromised databases. Such services offer proactive monitoring that helps you detect unusual activity early on, reducing the likelihood and impact of identity theft.