Massive Data Breach Could Affect 10% of Texas-Based Truckers

Casmer Labs, the threat research team within Cloud Storage Security, has continued to observe cases in 2025 where sensitive data became exposed through publicly accessible cloud storage. These exposures are typically caused by configuration, not intrusion. A storage resource such as an Amazon S3 bucket is left open to the internet and ends up holding real personal and compliance documentation.

In these situations, no exploit is required. If an S3 bucket allows public read or list access, anyone who can locate it can download its contents. That is a cloud data exposure event even if there was no malware, credential theft, or lateral movement.

One recent case involving AJT Compliance LLC shows how severe this can get.

Incident Summary

According to public reporting on September 25 2025, researchers identified an Amazon S3 bucket managed by AJT Compliance LLC, a Texas based Department of Transportation compliance services provider. The bucket was publicly accessible and contained tens of thousands of files tied to commercial trucking compliance.

The exposed data reportedly included

• Images of Social Security cards and raw Social Security numbers more than 18 thousand records

   

• Driver license images more than 23 thousand records

   

• Drug test results

   

• Employment contracts and onboarding packets

   

• Background check and consent forms

   

• Vehicle insurance cards and other insurance documentation

   

• Employee consent forms

   

• Vehicle inspection results and related Department of Transportation compliance paperwork

  
  

The data appeared to relate to licensed commercial drivers. Some estimates suggested the exposed records could impact up to roughly 10 percent of Texas based commercial truck drivers. This figure is based on researcher estimates comparing known Texas commercial driver counts against the total number of unique records observed. It should be treated as an approximation and not a confirmed final count.

The files dated back to at least 2022. Reporting also noted that new objects were actively being uploaded to the bucket during the investigation window in mid 2025, which indicates this was part of an active business workflow, not an abandoned archive.

Timeline details published by researchers are as follows

• July 31 2025 The public exposure was discovered

   

• August 1 2025 Initial disclosure attempts were made to AJT Compliance LLC

   

• September 3 2025 The bucket was made private and public access was removed

   

• September 25 2025 Broader reporting on the incident was published

This is a typical sequence in cloud storage exposure cases. A bucket created for operational reasons ends up holding sensitive data, its permissions are relaxed so files can be uploaded and retrieved quickly, and that relaxed access quietly becomes permanent until an outside researcher finds it.

Why This Exposure Matters

The AJT Compliance LLC bucket did not just contain administrative metadata. It reportedly contained direct identity artifacts in photo and text form Social Security cards, driver licenses, drug testing paperwork, employment records, and vehicle compliance documentation.

There are three reasons that matters

1. First, fraud and abuse risk
   

   The combination of name, date of birth, Social Security number, driver license image, and employment record is enough to support highly convincing social engineering or impersonation. An attacker could contact a driver, a carrier, or a payroll desk and replay highly specific details that would normally only be known internally. This raises the risk of identity theft and follow on fraud.

2. Second, regulatory exposure
   

   In most jurisdictions in the United States, unredacted government identifiers, health test results, and personally identifiable information of employees are treated as sensitive data. When that type of information is publicly retrievable from an internet exposed S3 bucket, the organization responsible may face reporting duties, contract fallout, and questions from state and federal oversight bodies. Commercial carriers may also have notification obligations to affected drivers.

3. Third, audit and evidence pressure
   Leadership, legal, partners, insurers, and in some cases regulators will ask for a timeline. When did the bucket become public. Who accessed which files and in what volume. When was access removed. If the organization cannot produce that timeline using logs and access records, the event is harder to close and harder to explain.
   
   

This case also differs from many other 2025 storage exposures in one important way. In a number of other cases this year including incidents in the financial sector and in member based financial services organizations, the exposed material was transactional metadata or customer reference data, for example account numbers or internal form PDFs. In the AJT Compliance LLC case, the reported exposure contained full identity artifacts, including images of government issued documents and Social Security numbers, which materially increases personal risk for affected drivers.

How This Kind of Exposure Happens

Amazon S3 includes native controls such as S3 Block Public Access, access policies, and IAM guardrails. Those controls can prevent broad or anonymous read access. They do work when consistently applied and monitored. The gap is consistency at scale.

Some consistent patterns:

• Storage is created quickly to support a process such as Department of Transportation compliance intake, driver onboarding, employment screening, or document retention

   

• The bucket is considered temporary or operational and is sometimes created outside a main production account

   

• Real world driver and employee data is uploaded because that is faster than building a sanitized workflow

   

• Read and list access is opened up to simplify intake, contractor upload, downstream review, or automated processing

   

• That access is never fully locked back down

   

• The bucket continues to be used for live work while it is effectively open to the internet

At that point, a public S3 bucket is holding active sensitive data and is still receiving new files. That is not an intrusion. It is a configuration state.

This is a storage governance and visibility problem and is part of a broader data security posture management challenge for cloud storage. If you cannot see every bucket, understand what is in it, and confirm how it is exposed, you cannot reliably control that data.

Recommended Actions for Organizations

The following controls are widely considered baseline for protecting sensitive material stored in cloud object storage

Restrict public access by default

• Enforce Amazon S3 Block Public Access at the account level and bucket level, unless there is a documented and temporary exception with an owner and an expiration
  
• Review bucket policies, ACLs, and IAM permissions that allow anonymous or broad read access using s3 GetObject
  
• Treat public or anonymous access to storage as an exception request, not a normal state
  
  

Maintain a continuous storage inventory

• Maintain an always current inventory of S3 buckets, EBS snapshots, EFS file systems, FSx file systems, Glacier vaults, and similar storage resources across every AWS account and region in scope
  
• For each storage location track the owner, business purpose, data sensitivity, last activity, encryption status, any external or cross account exposure, and whether it is publicly accessible
  
• Generate and update this inventory automatically rather than manually
  
  

Without this, security teams often first learn about a bucket when someone else reports it

Classify and label sensitive data

• Identify which storage locations hold high risk or regulated data such as government identifiers, employee PII, test results, or financial and compliance documentation
  
• Apply stricter access rules, logging, and review requirements to those locations
  
• Avoid copying production or personnel records into temporary intake buckets or partner share buckets without first applying hardened access controls
  
  

Monitor object level access

• Capture list and read activity for locations that contain sensitive data
  
• Alert on large scale enumeration or download behavior, unexpected access from unfamiliar identities, or patterns consistent with bulk collection or staging for extortion
  
• Retain this access history so you can determine if data was actually taken, not just exposed
  
  

Continuously check storage posture

• Continuously evaluate storage for public access, broad cross account access, missing encryption, missing logging, weak retention and immutability settings, and similar posture issues
  
• Detect configuration drift for example a bucket that was private last week and public this week should trigger an alert
  
• Extend posture review to vendor or partner connected storage not just internal accounts
  
  

Preserve evidence

Any exposure review will require at minimum

• When did the bucket or file system first become public or broadly exposed
  
• Which identities accessed which objects and in what volume
  
• When was access removed
  
  

Being able to answer those questions with timestamps shortens incident handling, supports notification decisions, and reduces audit friction

How DataDefender Helps

DataDefender by Cloud Storage Security focuses on data security posture management also called DSPM for cloud storage. It is designed to help security teams and compliance teams govern data in Amazon S3 and other AWS storage services at scale.

It is built to do the following

1. Inventory storage
   

   DataDefender maintains a live view of object and file storage across connected AWS accounts. This includes Amazon S3, EBS snapshots, EFS, and FSx. The inventory includes owner, business label, exposure status, encryption state, recent activity, and other metadata that is difficult to maintain manually.

2. Identify and label sensitive data
   

   DataDefender helps locate storage locations that contain personally identifiable information, driver and employee records, government issued identifiers, and other regulated data. This allows teams to focus stronger controls and closer monitoring on high impact locations.

3. Monitor activity at the data layer
   

   The platform records which identities accessed which objects and when. It highlights unusual or bulk access patterns. This supports investigation of potential data exfiltration, insider misuse, or ransomware style activity in storage.

4. Continuously assess storage posture
   

   DataDefender runs ongoing checks across storage related configuration controls, including public access, cross account access, encryption, logging, retention, replication, versioning, and immutability. The goal is to surface misconfigurations before they become public exposure events.

5. Provide investigation and audit evidence
   

   When a possible storage exposure is reported, DataDefender supports drill down into activity in other words who accessed what, at what time, and which objects were involved. This evidence helps answer standard questions from leadership, legal, partners, and auditors.

In addition, Cloud Storage Security offers Antivirus for Cloud Storage. Antivirus for Cloud Storage performs in tenant multi engine malware scanning on objects in storage. This helps organizations reduce the chance of known malicious files or ransomware payloads being ingested into storage or redistributed internally or to partners.

Guidance for Individuals Potentially Affected

If you are a driver or employee who believes your personal data may have been exposed in the AJT Compliance LLC incident, the following steps are commonly recommended by identity theft response guidance in the United States

• Visit IdentityTheft dot gov and create an identity theft report

• Place a temporary fraud alert on your credit file. You can do this with one of the three major credit bureaus Experian, TransUnion, or Equifax

• Request a free copy of your credit report. AnnualCreditReport dot com allows you to request reports

• File a police report with your local department if you believe your identity is being misused

• Submit a complaint to the FBI Internet Crime Complaint Center at IC3 dot gov if you observe attempted fraud using your information

• Notify the Internal Revenue Service using Form 14039 Identity Theft Affidavit so that tax filings using your Social Security number are monitored

These steps are intended to limit downstream fraud in cases where Social Security numbers and driver license images are exposed

Summary

Large scale cloud storage exposures in 2025 increasingly involve regulated personal data and compliance documentation, not just internal reference files. In the AJT Compliance LLC incident, the exposed material reportedly included Social Security cards, driver licenses, employment and drug testing records, background checks, insurance cards, and vehicle inspection results. The exposure was caused by an openly accessible Amazon S3 bucket, not by a targeted intrusion.

Reducing this type of risk requires consistent control of public access, continuous inventory of all storage locations across every AWS account, classification and labeling of sensitive data, monitoring of object level access, ongoing posture assessment, and preservation of evidence.

These practices align with the goals of DSPM for cloud storage. The objective is to understand where sensitive data lives, how it is exposed, who accessed it, and how to prove it.

Click Here to Get Started