On Wednesday, vpnMentor published a report on the security incident, in which an unsecured bucket was left exposed online.
The server, which did not have authentication controls in place and was, therefore, accessible by anyone to view, contained 157GB of data, or just under an estimated 200,000 files.
After discovering the open system, the researchers traced the owner as Phlebotomy Training Specialists. The LA-based organization offers phlebotomy certification and courses in states including Arizona, Michigan, Texas, Utah, and California.
According to vpnMentor, the records contained within were backed up from September 2020, but some were created before this time.
The unsecured Amazon S3 bucket contained a variety of PII including ID card and driver license copies, as well as CVs, revealing names, dates of birth, genders, photos of students, home addresses, phone numbers, email addresses, and both professional and educational summaries.
In addition, over 27,000 tracking forms were found that in some cases contained the last four digits of Social Security numbers, as well as student transcripts and training certificate scans.
vpnMentor's team, led by Noam Rotem and Ran Locar, estimates that between 27,000 -- 50,000 people, including course applicants and attendees, were impacted.
The researchers informed Phlebotomy Training Specialists of their findings on September 7, three days after the S3 bucket's discovery. Further attempts at contact were made but there was no response. The team then attempted to contact Amazon before reaching out to USA Cert on September 20.
The researchers told ZDNet that two buckets were eventually found, one of which has been closed -- but the other remains open.
ZDNet has reached out to Phlebotomy Training Specialists for comment and we will update when we hear back.