Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy

Data Broker Leaves 600K+ Sensitive Files Exposed Online (theregister.com) 18

A security researcher discovered an unprotected database belonging to SL Data Services containing over 600,000 sensitive files, including criminal histories and background checks with names, addresses, and social media accounts. The Register reports: We don't know how long the personal information was openly accessible. Infosec specialist Jeremiah Fowler says he found the Amazon S3 bucket in October and reported it to the data collection company by phone and email every few days for more than two weeks. [The info service provider eventually closed up the S3 bucket, says Fowler, although he never received any response.] In addition to not being password protected, none of the information was encrypted, he told The Register. In total, the open bucket contained 644,869 PDF files in a 713.1 GB archive.

Some 95 percent of the documents Fowler saw were labeled "background checks," he said. These contained full names, home addresses, phone numbers, email addresses, employment, family members, social media accounts, and criminal record history belonging to thousands of people. In at least one of these documents, the criminal record indicated that the person had been convicted of sexual misconduct. It included case details, fines, dates, and additional charges. While court records and sex offender status are usually public records in the US, this exposed cache could be combined with other data points to make complete profiles of people -- along with their family members and co-workers -- providing everything criminals would need for targeted phishing and/or social engineering attacks.

Data Broker Leaves 600K+ Sensitive Files Exposed Online

Comments Filter:
  • by Anonymous Coward

    Hate to be a devil's advocate, but the data broker isn't under HIPAA, FERPA, or any laws to keep data protected. If they buy it, it is theirs, and can toss it into pastebin or make a torrent out of it, if they felt like it. Or just resell it to some dudes out of Tehran via a proxy for more cash.

    • by Narcocide ( 102829 ) on Wednesday November 27, 2024 @09:42PM (#64976811) Homepage

      You're making a good argument about why this entire type of data brokerage business shouldn't even be legal in the first place.

      • by Gleenie ( 412916 )

        100% They like to argue that their existence means it's easier for you to get credit, or other related things. So, ok, the moment your company becomes a net liability you've lost what little social license you had to exist in the first place. Corporate death sentence would be entirely appropriate.

    • About that... There's yes, and there's no.

      The data broker may be under no direct obligation to keep the data protected, but they may well be under indirect obligation.

      Y'see, if they get the data from someone who IS under those regulations, that third party should be requiring the data broker to adhere to the same privacy protection measures.

      Folks like the FBI could make the data broker VERY uncomfortable, having to reveal its sources and contracts or face obstruction charges. And those original sources, i

  • How dare they leak my personal information! My data is to be sold, not given away. This is absolutely uncapitalist.
    • Well, in theory, if all the personal data is leaked, it has no value, so people will stop collecting it.

  • These stories keep giving the idea that once your data is not inside the firewall, it is not if it's breached; it is when will it be breached?

    • Nah, that's wrong. It's once your data is in someone else's hands, it is not if but when. Leaving it outside of the firewall is just one of the ways it happens, but there are many forms of negligence, and then of course there's the fact that the whole plan is to provide it to other parties

  • I purpose $100 fine and 1 misdemeanor charge per record. The fine is charged to the organization and the criminal charge to the individuals involved.

    The fine will wipe out the company. That many charges, even if not felonies, will put a real dent in anyone's ability to do any transaction ever again. And proving a misdemeanor is a piece of cake.

  • by devslash0 ( 4203435 ) on Thursday November 28, 2024 @04:36AM (#64977179)

    We're secure. ðY£

  • When Sony was hacked they were fined, but when someone else with much more sensitive data is openly available to the world, nothing happens.

I'd rather just believe that it's done by little elves running around.

Working...