Cybersecurity Alert: Major Data Breach Exposes Millions of Records in Cloud Storage Misconfiguration A significant data breach has exposed over 10 million sensitive records due to a misconfigured cloud storage bucket, security researchers at Wiz discovered on June 12, 2024. The incident involved an unsecured Amazon S3 bucket belonging to Brightly Software, a subsidiary of Siemens specializing in education and municipal management solutions. The exposed data included personal information (PII) such as names, email addresses, phone numbers, and in some cases, student and staff records from K-12 schools and local government entities using Brightly’s SchoolDude and Cityworks platforms. Financial documents, internal communications, and system credentials were also found in the unprotected storage. The misconfiguration stemmed from improper access controls, leaving the bucket publicly accessible without authentication. While there is no evidence of malicious exploitation, the exposure highlights persistent risks in cloud security, particularly for third-party vendors handling sensitive data. Brightly confirmed the breach after being notified by Wiz and secured the bucket within 24 hours, though the duration of the exposure remains unclear. The incident underscores the growing threat of supply chain vulnerabilities, as organizations increasingly rely on external providers for critical infrastructure. Regulatory bodies, including state-level education and privacy agencies, are expected to review the breach’s compliance with FERPA (Family Educational Rights and Privacy Act) and other data protection laws. Siemens has not issued a public statement beyond acknowledging the remediation efforts.

Former Contractor Convicted in Extortion Scheme Targeting Brightly Software A 27-year-old North Carolina man, Cameron Curry (alias "Loot"), has been found guilty of extorting Brightly Software, a Siemens-owned SaaS provider specializing in asset management and maintenance software for over 12,000 global clients. Curry, who worked as a data analyst contractor for Brightly, exploited his access to corporate and payroll data between August and December 2023, stealing sensitive documents after learning his six-month contract would not be renewed. On December 11 one day after his contract ended Curry sent over 60 extortion emails to Brightly employees, demanding a $2.5 million ransom in exchange for not leaking stolen data. The emails included screenshots of employee PII, such as names, birthdates, addresses, and compensation details, and threatened to report Brightly to the SEC for failing to disclose the breach. Curry warned that salary information would be publicly released starting January 1, 2024, with the ransom increasing by $100,000 monthly if unpaid. Brightly paid $7,540 in Bitcoin to Curry’s cryptocurrency wallet before reporting the incident to the FBI. A January 24 search of Curry’s residence uncovered electronic devices containing evidence of the scheme. He now faces up to 12 years in prison for six counts of interstate extortion. Separately, Brightly disclosed a May 2023 data breach affecting nearly 3 million SchoolDude customers after attackers accessed the platform’s database on April 20, stealing credentials and personal data. The intrusion was detected eight days later.

The Maine Office of the Attorney General reported a data breach involving Brightly Software, Inc. on May 11, 2023. The breach, which occurred on April 20, 2023, was due to external system hacking and affected a total of 2,964,292 users, with 11,486 residents specifically in Maine impacted.