All of the towns and cities appeared to be connected through one product: mapsonline.net, which is owned by a Massachusetts company called PeopleGIS. The company provides information management software to local governments across Massachusetts, New Hampshire and Connecticut.  Due to the sensitive nature of the documents, many of the forms included people’s email address, physical address, phone number, driver’s license number, real estate tax information, license photographs and photos of property.  The researchers shared redacted photos of the data available.  “Our team reached out to the company and the buckets have since been secured.” Not every municipality had the same information exposed, and the report said the types of files leaked varied. The researchers were not able to provide an estimate on the number of people affected by the exposure because of how varied the forms were.  The researchers did not have a definitive reason for why some buckets were properly secured and others were not.  They suggested that PeopleGIS simply “created and handed over the buckets to their customers (all municipalities), and some of them made sure these were properly configured.” Another theory involved a potential situation where different employees at PeopleGIS – without clear guidelines – created and configured each bucket.  The third theory was that the municipalities themselves created the buckets with basic guidelines from PeopleGIS “about the naming format but without any guidelines regarding the configuration.” The researchers said this “would explain the difference between the municipalities whose employees knew about it or not.” “The breach could lead to massive fraud and theft from citizens of those municipalities. The highly-sensitive nature of the data contained within a local government’s database, from phone numbers to business licenses to tax records, are highly susceptible to exploitation by bad actors,” the report said.  “Much of this information is supposed to be only accessible by the government and the citizens, meaning someone could potentially defraud an individual by posing as a government official.” PeopleGIS did not respond to requests for comment.