Data Broker Leaves 600K+ Sensitive Files Exposed Online (theregister.com) 18
A security researcher discovered an unprotected database belonging to SL Data Services containing over 600,000 sensitive files, including criminal histories and background checks with names, addresses, and social media accounts. The Register reports: We don't know how long the personal information was openly accessible. Infosec specialist Jeremiah Fowler says he found the Amazon S3 bucket in October and reported it to the data collection company by phone and email every few days for more than two weeks. [The info service provider eventually closed up the S3 bucket, says Fowler, although he never received any response.] In addition to not being password protected, none of the information was encrypted, he told The Register. In total, the open bucket contained 644,869 PDF files in a 713.1 GB archive.
Some 95 percent of the documents Fowler saw were labeled "background checks," he said. These contained full names, home addresses, phone numbers, email addresses, employment, family members, social media accounts, and criminal record history belonging to thousands of people. In at least one of these documents, the criminal record indicated that the person had been convicted of sexual misconduct. It included case details, fines, dates, and additional charges. While court records and sex offender status are usually public records in the US, this exposed cache could be combined with other data points to make complete profiles of people -- along with their family members and co-workers -- providing everything criminals would need for targeted phishing and/or social engineering attacks.
Some 95 percent of the documents Fowler saw were labeled "background checks," he said. These contained full names, home addresses, phone numbers, email addresses, employment, family members, social media accounts, and criminal record history belonging to thousands of people. In at least one of these documents, the criminal record indicated that the person had been convicted of sexual misconduct. It included case details, fines, dates, and additional charges. While court records and sex offender status are usually public records in the US, this exposed cache could be combined with other data points to make complete profiles of people -- along with their family members and co-workers -- providing everything criminals would need for targeted phishing and/or social engineering attacks.
Why should the data broker care? (Score:1)
Hate to be a devil's advocate, but the data broker isn't under HIPAA, FERPA, or any laws to keep data protected. If they buy it, it is theirs, and can toss it into pastebin or make a torrent out of it, if they felt like it. Or just resell it to some dudes out of Tehran via a proxy for more cash.
Re:Why should the data broker care? (Score:4, Insightful)
You're making a good argument about why this entire type of data brokerage business shouldn't even be legal in the first place.
Re: (Score:3)
100% They like to argue that their existence means it's easier for you to get credit, or other related things. So, ok, the moment your company becomes a net liability you've lost what little social license you had to exist in the first place. Corporate death sentence would be entirely appropriate.
Re: (Score:2)
About that... There's yes, and there's no.
The data broker may be under no direct obligation to keep the data protected, but they may well be under indirect obligation.
Y'see, if they get the data from someone who IS under those regulations, that third party should be requiring the data broker to adhere to the same privacy protection measures.
Folks like the FBI could make the data broker VERY uncomfortable, having to reveal its sources and contracts or face obstruction charges. And those original sources, i
It's an outrage! (Score:1)
Re: (Score:2)
Well, in theory, if all the personal data is leaked, it has no value, so people will stop collecting it.
Re: Default settings for Amazon S3 buckets? (Score:2)
Re: (Score:2)
And on the 87th call from their VP to your VP as to why they can't access the data....poof, it's made public or people get fired.
Business will *always* choose the easiest/cheapest path in spite of engineers best intentions.
Until there is a sizable penalty for choosing easy and insecure, nothing will change.
Not if breached, leaked or misplaced; but when (Score:2)
These stories keep giving the idea that once your data is not inside the firewall, it is not if it's breached; it is when will it be breached?
Re: (Score:3)
Nah, that's wrong. It's once your data is in someone else's hands, it is not if but when. Leaving it outside of the firewall is just one of the ways it happens, but there are many forms of negligence, and then of course there's the fact that the whole plan is to provide it to other parties
Re: (Score:1)
Thanks for that, I chuckled.
Fines and charges (Score:2)
The fine will wipe out the company. That many charges, even if not felonies, will put a real dent in anyone's ability to do any transaction ever again. And proving a misdemeanor is a piece of cake.
We use 128-bit SSL (Score:3)
We're secure. ðY£
Why aren't they being fined? (Score:2)
When Sony was hacked they were fined, but when someone else with much more sensitive data is openly available to the world, nothing happens.
including criminal histories. Real Estate Info (Score:2)