Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password-protected database that contained over 1.2 million documents belonging to UK-based Amberstone Security Ltd, a technology and physical security services company.
The publicly exposed database contained 1,274,086 documents with a total size of 245.3 GB. These included the PII and images of thousands of security guards, images of security credentials or license cards issued by the Security Industry Authority (SIA), incident reports, as well as names and dates of birth of theft suspects. Upon further research, it was identified that the documents belonged to Amberstone Security Ltd., a UK-based security company that provides security solutions, intelligence-led manned guarding, and loss-prevention services. I immediately sent a responsible disclosure notice to Amberstone Security, and public access to the database was restricted the following day. It is not known how long the data was exposed or if anyone else may have accessed the documents, only a comprehensive internal cyber forensic audit could identify this information.
Amberstone Security restricted public access to the database and replied thanking me for my responsible disclosure notification. “Thank you for bringing this to our attention, this is deeply concerning. I am investigating this with the supplier who developed and hosts the platform. Please rest assured that we take data security seriously, and this will be investigated thoroughly”.
Although the records belonged to Amberstone Security, according to their statement, the database and files were managed by a third-party contractor. I did not receive any additional messages, nor did Amberstone specifically identify the name of the supplier in their response. Amberstone appears to be linked to the Argenbright Group, a privately-held family of companies that provides commercial and government security. It is not clear exactly why these documents were collected and stored. The database also contained development files regarding an application called Guarded On Duty, which was developed by ATWRK LTD. According to both the Google and Apple App Stores, the privacy policy of this application is linked to Amberstone Security. The application lets security guards log in and upload images of their badges and themselves to verify they are working their scheduled shift at a specific job location.
I saw a folder that contained around one hundred thousand images labeled “guard pics”, consisting of: (i) images of security personnel checking in for their shifts using a photograph of themselves and often holding their security badge; and (ii) photographs of guard identification cards. The app store’s summary of security practices indicates the app does not employ encryption and that data isn’t transferred over a secure connection, suggesting that the data is potentially at risk and may be missing some fundamental security safeguards.
The records I saw range from 2017 to 2024. The database also contained an extensive list of customers and businesses that use Amberstone Security’s services. These customers appeared to be from a diverse range of industries including retail, distribution, leisure and NTE, events and hospitality, corporate, finance, healthcare, education, government and criminal justice, agriculture, ports, and residential security.
This is a collage of screenshots showing profile pictures of the security guards. There were 14,492 images marked as profile pictures.
This is a collage of a sample of guard identification cards. The folder contained 99,151 pictures that appeared to show security personnel checking in for their shifts using a photograph of themselves, their security license card, or both.
This is a collage of images marked as offender pictures. Some contained sensitive information such as name, date of birth, and details about the theft.
This screenshot shows how security guards identify a potential suspect in a theft. The notes explain what is being stolen, how the alleged crimes are committed, the store locations, tactics used, and details about accomplices (where applicable).
Incident reports in .xls format that describe the location, details of what happened, and the name of the security officer who reported the incident.
This screenshot shows exposed .apk files for an application called Guarded on Duty.❮❯
Potential risks of exposed application files
The database also contained APK files (Android Package). Any exposed application files could pose potential security risks if malicious actors gained access to the source files. For instance, APK files may contain sensitive user data, such as login credentials, personal information, or sensitive details, which are not intended to be accessed by unauthorized individuals. Another potential risk where a cybercriminal edits or alters APK files to inject malware or malicious code. This would potentially allow attackers to access devices and the user’s personal data and files, or compromise the security of other applications installed on the device. Organizations that offer mobile applications should take additional steps to secure their source files from public access. I imply no wrongdoing by Amberstone. Application and development files should never be publicly exposed, as there could be far-reaching consequences if they were manipulated by criminals. I am not saying that there has been any unauthorized use of the exposed APK or source files. I am only providing a real-world hypothetical example of how these files could create a potential risk for users.
Potential risks of exposed license cards
Physical security is a critical industry that requires qualifications and background checks to ensure the guards are eligible and have no criminal history. Exposure of identification documents issued by the UK’s Security Industry Authority (SIA) poses significant potential security risks. In a phone call to the SIA, I inquired whether the SIA-issued security license card incorporated biometric features or was just a plastic card. I was told that, as of now, the security license card is just a plain plastic card; although there is a plan to introduce biometric features, there is no specific date of when that will be implemented. This means it could potentially be very easy to reproduce or make a counterfeit security license card without any advanced verification methods. Biometric cards would contain an embedded electronic microprocessor chip with specific information to safely verify the cardholder’s identity and the legitimacy of the license card.
One hypothetical example of a risk scenario would be if criminals used the exposed information (such as the guard’s names, photographs, and license numbers) to impersonate security personnel or gain unauthorized access to a secure facility for criminal purposes. This could potentially lead to a physical security breach, theft, vandalism, or — as a worse-case scenario — acts of terrorism. The exposure of SIA identification documents could pose a serious potential threat to public safety, personal privacy, and the integrity of security operations if misused by unauthorized individuals. I am not saying that there is an imminent risk of any unauthorized use of security license documents or the misuse of the identities of security guards. I am only providing a real-world hypothetical scenario to explain how criminals could exploit the exposed identification documents for nefarious purposes.
Privacy concerns for guards and alleged suspects
Security guards play a crucial role in maintaining public safety and protecting property. It is important to protect the privacy and personal safety of individuals working as security guards. Any data incident that exposes sensitive information such as names, security license numbers, and profile pictures could potentially compromise the guards’ personal privacy or make them a target for harassment by criminals who may seek retribution. Unauthorized use of a security guard’s license or identity to commit a crime or access a secure location could potentially create legal problems for the guard or undermine their ability to effectively do their job.
The documentation of alleged theft suspects including images of their faces and personal information raises significant privacy concerns. I saw numerous photographs of theft suspects that contained personal details such as names, dates of birth, and details about their potential crimes. It is not known if these individuals have been arrested, charged with a crime, or have any type of criminal record or conviction by a court for the alleged crimes described in the documents I saw. From a privacy standpoint, the practice of collecting and storing of the images and PII of alleged theft suspects may lead to unwarranted surveillance, stigmatization, and potential discrimination against individuals who may be falsely accused or wrongly identified. From the perspective of the security guards, it is important and valuable to know who is a potential threat or theft suspect. No matter what the reason is to collect and store this information about alleged suspects, it should never be publicly exposed. I am not saying that guards or alleged theft suspects are at imminent risk. I am only providing hypothetical real-world scenarios and raising the issue of potential privacy concerns.
In an increasingly digital world, it is important for providers of offline human operations — like Amberstone Security Services — to take proactive measures to protect their data and the personally identifiable information (PII) of their employees. We have reached the point where real-world services (such as providing physical security) now depend on technology and data for tracking, monitoring, and efficiency. This makes it even more urgent that offline businesses invest in cybersecurity to safeguard the sensitive data they collect and store. I highly recommend that all companies conduct regular security audits and assessments. Taking a proactive approach to data protection can help identify and address vulnerabilities in the organization’s systems, network, or storage repository.
As an ethical security researcher, I never download or extract the data I discover despite it being publicly accessible. I manually review a limited sample and take screenshots for verification purposes. I imply no wrongdoing by Amberstone Security Ltd. or the unidentified third-party contractor who managed the database, nor do I claim that the data of guards, alleged suspects, or others was ever at risk. The duration of the data exposure and the identities of any other parties who may have accessed the documents remain uncertain, and only an internal investigation could review this information. I publish my findings for educational purposes and to bring attention to potential cyber security risks.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your reply was submitted successfully!your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
