Exclusive: Data breach exposes 17,000 yachting industry professionals


A data breach at UK-based Crew and Concierge Limited has exposed the personal data of 17,379 people of 50 different nationalities working in the yachting industry.

Crew and Concierge is an international recruitment agency specialising in securing staff for ultra-high-net-worth clients' yachts operating around the world.

The server, which was discovered during a Verdict investigation, consisted of over 90,000 files, all of which appeared to relate to individuals on Crew and Concierge's books. It was left exposed on a misconfigured unsecured Amazon Web Services (AWS) S3 bucket and appears to have been online and available for anyone to access without a password since February 2019.

Crew and Concierge, which is registered as a data controller with the UK's Information Commissioner's Office (ICO), secured the bucket within hours of being notified of the data breach. Crew and Concierge said it has not seen any evidence that its files have been maliciously accessed.

For all individuals, the data exposed included a CV or resume. In most cases, this contained the individual's full name, phone number, email, nationality, visas held, date of birth, work history and professional qualifications.

There were also 1,295 scanned copies of passports, around 1,000 of which are still in date, at least 500 scans of visas and over 1,000 seafarer medical certificates, known as ENG1 forms.

In a statement to Verdict, the full version of which can be viewed here, Sara Duncan, director of Crew and Concierge, said that the company had taken a number steps to resolve the breach, including hiring a cybersecurity expert. She said:

"From the moment we learnt of the breach my team and I have worked tirelessly to identify the sources of disclosure, detect the areas of weakness, close the vulnerability, recover control of the data, identify precisely what data was compromised, and minimise the potential risk and harm to the affected individuals.

"We have been advised by the cybersecurity consultant that exploitation of S3 buckets is by no means a straightforward activity and that it appears likely that the individual or individuals responsible have developed advanced tools designed specifically to identify AWS customers and whether or not they have misconfigured instance that may leave it open to malicious attack.

"In our case, the confidence was placed in the team of developers we had hired, trusting that they would do a competent job and implement appropriate and proportionate technical and organisational measures to ensure the protection of the large volumes of information, including personal and sensitive personal information relating to our registered crew.

"We have since established that the breached AWS S3 bucket that we outsourced contained personal data stolen by a malicious actor/s based on a misconfiguration by a third party and published into the public domain.

"This impacts Crew and Concierge, and its valued clients and staff, for which we take full responsibility as the data controller. In the very short period, we have come to understand the true impact of a cyberattack, and we have learnt many valuable but hard lessons.

Read the full article