Data Broker Leaves 600K+ Sensitive Files Exposed Online (theregister.com) 6
A security researcher discovered an unprotected database belonging to SL Data Services containing over 600,000 sensitive files, including criminal histories and background checks with names, addresses, and social media accounts. The Register reports: We don't know how long the personal information was openly accessible. Infosec specialist Jeremiah Fowler says he found the Amazon S3 bucket in October and reported it to the data collection company by phone and email every few days for more than two weeks. [The info service provider eventually closed up the S3 bucket, says Fowler, although he never received any response.] In addition to not being password protected, none of the information was encrypted, he told The Register. In total, the open bucket contained 644,869 PDF files in a 713.1 GB archive.
Some 95 percent of the documents Fowler saw were labeled "background checks," he said. These contained full names, home addresses, phone numbers, email addresses, employment, family members, social media accounts, and criminal record history belonging to thousands of people. In at least one of these documents, the criminal record indicated that the person had been convicted of sexual misconduct. It included case details, fines, dates, and additional charges. While court records and sex offender status are usually public records in the US, this exposed cache could be combined with other data points to make complete profiles of people -- along with their family members and co-workers -- providing everything criminals would need for targeted phishing and/or social engineering attacks.
Some 95 percent of the documents Fowler saw were labeled "background checks," he said. These contained full names, home addresses, phone numbers, email addresses, employment, family members, social media accounts, and criminal record history belonging to thousands of people. In at least one of these documents, the criminal record indicated that the person had been convicted of sexual misconduct. It included case details, fines, dates, and additional charges. While court records and sex offender status are usually public records in the US, this exposed cache could be combined with other data points to make complete profiles of people -- along with their family members and co-workers -- providing everything criminals would need for targeted phishing and/or social engineering attacks.
Why should the data broker care? (Score:1)
Hate to be a devil's advocate, but the data broker isn't under HIPAA, FERPA, or any laws to keep data protected. If they buy it, it is theirs, and can toss it into pastebin or make a torrent out of it, if they felt like it. Or just resell it to some dudes out of Tehran via a proxy for more cash.
Re: (Score:2)
You're making a good argument about why this entire type of data brokerage business shouldn't even be legal in the first place.
Re: (Score:2)
100% They like to argue that their existence means it's easier for you to get credit, or other related things. So, ok, the moment your company becomes a net liability you've lost what little social license you had to exist in the first place. Corporate death sentence would be entirely appropriate.
It's an outrage! (Score:1)
Not if breached, leaked or misplaced; but when (Score:2)
These stories keep giving the idea that once your data is not inside the firewall, it is not if it's breached; it is when will it be breached?