< Back

Report on a Recent Data Incident

On August 28, 2025, at 00:25 UTC, internal monitoring systems detected anomalous activity. An investigation was initiated. This report outlines the findings and remediation steps for two identified security issues.

1. S3 Bucket Permission Vulnerability

Timeline:

  • August 28, 2025, at 00:25 UTC: Anomaly in S3 access patterns detected.
  • August 28 - September 2, 2025: Investigation conducted.
  • September 2, 2025, at 20:7 UTC: IAM permissions were remediated.

Technical Details:

Our dash cameras utilize an IAM user to upload system logs to a designated S3 bucket.

The investigation found that the IAM policy for this user was not scoped to a specific S3 resource and contained overly broad permissions. The policy allowed the s3:ListAllMyBuckets action, which enabled the discovery of other S3 buckets in the account. Furthermore, it granted s3:ListBucket and s3:GetObject permissions on a resource scope that was not restricted to the intended log bucket.

This configuration allowed for the listing of objects within, and the reading of files from, an unintended S3 bucket.

Data Involved:

The data within this specific S3 bucket is limited to non-identifiable video recordings. The bucket does not contain personally identifiable information such as user names and phone numbers.

Remediation:

  • The IAM policy has been corrected and is now restricted to the s3:PutObject action restricted to the specific system logs bucket.
  • A review of all other IAM service accounts and associated tokens has been conducted.
  • The review of the data that was accessed is underway.

2. Atlassian Service Account Compromise

Timeline:

  • September 2, 2025, at 05:50 UTC: Suspicious activity on our Atlassian (Jira/Confluence) services was detected, including an unauthorized user password reset.
  • September 2, 2025, at 18:47 UTC: The account was disabled, and all legacy local accounts were removed.

Technical Details:Unauthorized access to our Atlassian services was gained using a legacy local user account. This account was not managed through our central Google SSO identity provider and did not have multi-factor authentication enforced. The account was used to export a Confluence page containing a list of names and email addresses of active CityStream users.

Remediation:

  • The compromised legacy account was disabled and has been removed.
  • All other legacy local user accounts have been removed from our Atlassian services.
  • Access is now exclusively managed through our central identity provider, which enforces SAML SSO and Two-Factor Authentication (2FA).
  • We are in the process of directly notifying all users whose names and email addresses were on the exported Confluence page.