Data broker leaves 600K+ sensitive files exposed online
Researcher spotted open database before criminals … we hope
Exclusive More than 600,000 sensitive files containing thousands of people's criminal histories, background checks, vehicle and property records were exposed to the internet in a non-password protected database belonging to data brokerage SL Data Services, according to a security researcher.
We don't know how long the personal information was openly accessible. Infosec specialist Jeremiah Fowler says he found the Amazon S3 bucket in October and reported it to the data collection company by phone and email every few days for more than two weeks.
In addition to not being password protected, none of the information was encrypted, he told The Register. In total, the open bucket contained 644,869 PDF files in a 713.1 GB archive.
"Even when I would make phone calls to the multiple numbers on different websites and tell them there was a data incident, they would tell me they use 128-bit encryption and use SSL certificates – there were many eye rolls," he claimed.
Some 95 percent of the documents Fowler saw were labeled "background checks," he said. These contained full names, home addresses, phone numbers, email addresses, employment, family members, social media accounts, and criminal record history belonging to thousands of people. In at least one of these documents, the criminal record indicated that the person had been convicted of sexual misconduct. It included case details, fines, dates, and additional charges.
While court records and sex offender status are usually public records in the US, this exposed cache could be combined with other data points to make complete profiles of people – along with their family members and co-workers – providing everything criminals would need for targeted phishing and/or social engineering attacks.
They would tell me they use 128-bit encryption and use SSL certificates – there were many eye rolls
"The biggest risk in my opinion would be the way they compile a full picture and profile of an individual that is far beyond just the basic semi-public information that could be out there online," Fowler told The Register. "This puts both the individual and their family or associates at potential risk – or even individuals who have nothing to do with the person identified in the background check."
Criminals could also potentially use this exposed info to obtain other sensitive personal or financial details, he added.
"As you know when it comes to phishing, the more information you have about a person, the better," Fowler noted. "Knowing things like employment, criminal records, and family members from one report raises a lot of security concerns."
The info service provider eventually closed up the S3 bucket, says Fowler, although he never received any response. The Register also reached out to SL Data Services for comment and did not hear back.
While there's no indication that criminals spotted the open database and snooped through the sensitive files therein, we've seen plenty of recent examples of the nefarious purposes that this type of personal information could be used for if it fell into the wrong hands.
Earlier this year, digital thieves ransacked another background check firm and then later listed – for $3.5 million on a cybercrime forum – what the crooks claimed to be 2.9 billion sensitive records linked to US, Canadian, and British citizens.
- National Public Data files for bankruptcy, admits 'hundreds of millions' potentially affected
- After nearly 3B personal records leak online, Florida data broker confirms it was ransacked by cyber-thieves
- Fore-get about privacy, golf tech biz leaves 32M data records on the fairway
- 31.5M invoices, contracts, patient consent forms, and more exposed to the internet
In August, National Public Data confirmed the intrusion and massive data leak. Last month, its parent company, Jericho Pictures, filed for bankruptcy, admitting "hundreds of millions" of people were potentially affected.
SL Data Services claims to provide property reports – including property and lien data, owner and neighbor information, crime and school info, plus mortgage and tax data – for residential real estate across the US, according to its Better Business Bureau profile.
While the open database that Fowler says he found belonged to SL Data Services, the folders inside were named with separate website domains, he observed, adding that the firm appears to operate at least 16 different websites that provide a range of different data. "For instance, PropertyRec, a website that advertises property and real estate research data, was mentioned in the database's name," Fowler wrote in a report slated to be published on Wednesday.
Match made in heaven: property records + criminal checks
"However, it seems the company offers more than just property records," he added. "In a phone call to customer support, I was told they also provide criminal checks, division of motor vehicles (DMV) records, death and birth records."
PropertyRec did not respond to The Register's request for comment.
Another troubling aspect is that the files in the database were named using this format: "First_Middle_Last_State.PDF."
While this naming mechanism provides an easy way to organize and search files, Fowler also recommends that organizations use unique identifiers that are random and hashed, and otherwise don't include any personal or identifiable information.
He suggests any organization that collects and stores sensitive data monitors its access logs. "This can help identify any unusual patterns – such as instances of mass viewing or downloading of files from the organization's cloud storage database or internal network," Fowler explained.
And please, use passwords and encryption. ®