Full Report
DataBreaches did not mention this publicly sooner because Kido was already under great pressure due to the breach involving children’s personal information and photos. But now that many people are feeling some relief that the hackers have supposedly deleted all the data and won’t be calling parents any more, DataBreaches can reveal that on Monday,... Source
Analysis Summary
# Incident Report: Unsecured Data Exposure at Kido (Second Incident)
## Executive Summary
Kido experienced a second, separate security incident shortly after dealing with a major breach involving children's data. This second incident involved the public exposure of an unsecured storage location containing over 600 resumes/CVs of current or prospective employees, including personal information. The vulnerability was discovered through independent research prompted by the prior breach, and Kido quickly confirmed the data lockdown after being notified.
## Incident Details
- Discovery Date: Monday (Date inferred as prior to October 2, 2025)
- Incident Date: Prior to discovery (Date of system misconfiguration/exposure)
- Affected Organization: Kido (including kidoschools.com and Amelio school in India)
- Sector: Education/Childcare
- Geography: India (Amelio school data); Scope likely international given kidoschools.com.
## Timeline of Events
### Initial Access
- Date/Time: Prior to Monday (Date inferred when data became exposed)
- Vector: Insecure cloud storage configuration (likely an open S3 bucket).
- Details: A researcher discovered an exposed storage bucket listed on Grayhatwarfare which contained resumes.
### Lateral Movement
- Not applicable. This was a data exposure/leak incident, not a network intrusion involving persistence or lateral movement described in the text.
### Data Exfiltration/Impact
- Over 600 resumes/CVs of employees or job applicants were accessible.
- Data included personal information typically found in resumes (e.g., contact details, employment history).
### Detection & Response
- **Detection:** Researcher discovered the leak after reading news about Kido's *prior* major breach and proactively investigated the organization. The researcher reported the finding to DataBreaches.Net on Monday.
- **Response:** Kido was notified by DataBreaches.Net on Monday. A spokesperson confirmed on Tuesday that the data had been "locked down."
## Attack Methodology
- Initial Access: **Misconfiguration/Improper Access Controls** (Publicly accessible storage bucket).
- Persistence: N/A
- Privilege Escalation: N/A
- Defense Evasion: N/A
- Credential Access: N/A
- Discovery: External reconnaissance by a researcher leveraging publicly available databases (Grayhatwarfare).
- Lateral Movement: N/A
- Collection: Direct download/access to the unsecured storage bucket.
- Exfiltration: Potential unauthorized data access/download by the initial researcher or others who accessed the publicly listed bucket.
- Impact: Unauthorized exposure of Personally Identifiable Information (PII) contained within resumes.
## Impact Assessment
- Financial: Not quantified, but response required immediate attention following a major prior event.
- Data Breach: Approximately 600+ resumes/CVs containing PII of current/prospective employees/applicants. Data belonged to kidoschools.com and the Amelio school in India.
- Operational: Minimal reported operational disruption, focused on data lockdown and assessment.
- Reputational: Negative impact, occurring immediately after a highly publicized and sensitive breach involving children's data, suggesting systemic security lapses.
## Indicators of Compromise
- **Network indicators:** (Defanged observation) Exposed cloud storage endpoint URL/identifier associated with Kido/Amelio operations.
- **File indicators:** Documents titled as resumes or CVs potentially containing full names, addresses, and contact information.
- **Behavioral indicators:** Public listing of an unsecured storage repository on third-party security aggregation sites.
## Response Actions
- **Containment measures:** Kido immediately locked down the exposed bucket upon notification.
- **Eradication steps:** The assessment phase mentioned will determine if external access logs need review since the bucket was publicly listed.
- **Recovery actions:** Assessment of legal/notification requirements based on the scope of access.
## Lessons Learned
- The organization displayed a failure in cloud storage security configuration management, leading to multiple, distinct incidents in quick succession.
- The discovery of the *second* incident was outsourced to external researchers reacting to news of the *first* incident, highlighting a severe gap in internal security monitoring.
- Risk of public exposure (via sites like Grayhatwarfare) for insecurely configured assets.
## Recommendations
- Conduct an immediate and comprehensive audit of **all** cloud storage environments (S3, Azure Blobs, etc.) to ensure default public access is disabled and appropriate access controls (least privilege) are enforced.
- Implement proactive external attack surface management tools to monitor for publicly exposed assets before external researchers or malicious actors find them.
- Review data retention policies for applicant/employee resumes to minimize the volume of PII stored long-term.