Security

Why is a 22GB database containing 56 million US folks' personal details sitting on the open internet using a Chinese IP address? Seriously, why?

If CheckPeople could take a look at this, that would be great


Exclusive A database containing the personal details of 56.25m US residents – from names and home addresses to phone numbers and ages – has been found on the public internet, served from a computer with a Chinese IP address, bizarrely enough.

The information silo appears to have been obtained somehow from Florida-based CheckPeople.com, which is a typical people-finder website: for a fee, you can enter someone's name, and it will look up their current and past addresses, phone numbers, email addresses, names of relatives, and even criminal records in some cases, all presumably gathered from public records.

However, all of this information is not only sitting in one place for spammers, miscreants, and other netizens to download in bulk, it's being served from an IP address associated with Alibaba's web hosting wing in Hangzhou, east China, for reasons unknown. It is a perfect illustration that not only is this sort of personal information in circulation, it's also in the hands of foreign adversaries.

A white-hat hacker operating under the handle Lynx discovered the trove online, and tipped off The Register. He told us he found the 22GB database exposed on the internet, including metadata that links the collection to CheckPeople.com. We have withheld further details for privacy protection reasons.

The repository's contents are likely scraped from public records, though together provide rather detailed profiles on tens of millions of folks in America. Basically, CheckPeople.com has done the hard work of aggregating public personal records, and this exposed NoSQL database makes that info even easier to crawl and process.

"In and of itself, the data is harmless, it's public data, but bundled like this I think it could actually be worth a lot to some people," Lynx told El Reg this week. "That's what scares me, when people start combining these with other datasets."

While CheckPeople.com also offers criminal record searches, Lynx did not find that information among the cache.

AWS has new tool for those leaky S3 buckets so, yeah, you might need to reconfigure a few things

READ MORE

The Register has repeatedly attempted to reach a human at CheckPeople to alert it to the leak, and the site's administrators have yet to respond. Its customer-support call center directed us to email the company, although our messages were subsequently ignored, it appears. Similarly, Lynx told us he has been unable to get hold of anyone beyond a third-party call center worker.

You would think a company trafficking in personal records would care a bit more about being able to be reached.

Whether this is data somehow siphoned from CheckPeople by a Chinese outfit and dumped lazily online, or a CheckPeople server hosted in China, is unclear.

However, under the laws of the People's Republic, government agencies can more or less search any machine at any time in the Middle Kingdom, meaning profiles on 56.5 million American residents appear to be at the fingertips of China, thanks to CheckPeople – we assume Beijing has files on all of us, though, to be fair.

Again, repeated attempts to contact CheckPeople for its side of the story were unsuccessful. Should the company decide to get in touch, we will update this story as needed. We have also pinged Alibaba to alert it to the exposed database, should it care about Americans' privacy. ®

Updated to add

An attorney for CheckPeople.com told us on Friday that the business is probing the matter:

CheckPeople is unaware of any database of information hosted in China or through Alibaba. CheckPeople’s records are stored in the United States on secure servers. However, CheckPeople takes security issues very seriously and is investigating this matter.

We understand the database has been removed from the Chinese server. Redacted screenshots of the records can be seen here.

Send us news
169 Comments

Intrepid Change.org user launches petition to make Jeff Bezos' space trip one-way

Jeff's younger brother and mystery hyper-rich paying passenger may end up as unfortunate collateral damage

A campaign has been started on the Change.org petition website to prevent Amazon founder Jeff Bezos from returning to Earth after his upcoming jaunt into space on 20 July.

Bezos is scheduled to be launched 100km up for a brief, suborbital trip on the first manned flight by his New Shepard rocket, operated by the Blue Origin space tourism company he founded back in 2000.

He will be accompanied on the flight by his brother, Mark, and a mystery auction winner who reportedly paid $28m for the privilege.

Continue reading

SpaceX spat with Viasat: Rival accused of abusing legislation to halt Elon's Starlink expansion

Viasat's 'newfound environmentalism is belied by its actions at every turn'

SpaceX has accused a satellite telecommunications rival of trying to a weaponise environmental legislation to hamper the expansion of its Starlink internet service.

Elon Musk's business said this in a response filed on Monday [PDF] in an ongoing legal dispute with Viasat, Dish Network, and consulting firm The Balance Group. The trio are contesting SpaceX's recently given Federal Communications Commission (FCC) approval to operate Starlink satellites at a lower altitude.

In a ruling published late April, the FCC allowed SpaceX to move 2,814 existing satellites from their current orbits of 1,100km to 1,300km to between 540km to 570km above Earth's surface. This would make its satellites more effective and improve coverage in rural areas, as well as in the polar regions.

Continue reading

Ryuk ransomware recovery cost us $8.1m and counting, says Baltimore school authority

Spreadsheet breaks down spend on staving off future badness

An organisation whose network was infected by Ryuk ransomware has spent $8.1m over seven months recovering from it – and that’s still not the end of it, according to US news reports.

The sum, spent by Baltimore County Public Schools, will doubtless raise some eyebrows and the public breakdown of the costs will be eye-opening for the infosec industry and potential corporate ransomware victims alike.

A spreadsheet obtained by Fox 45 News Baltimore, a TV station, revealed the $8.1m spending and also broke it down into individual line items.

Continue reading

UK spends £36m on 18 little 'bullet-proof' boats to protect Royal Navy assets

Like the massive ships with miniguns

The UK is to splash £36m on 18 new vessels to help protect Royal Navy bases around Britain and Gibraltar.

The contract – awarded to Liverpool-based boatbuilders Marine Specialised Technology, who seemed comfortable with being named as part of the deal – will help protect 50 jobs and create a further 15 posts.

For the flotilla of Register readers who take an interest in such things, the 15-metre craft will be able to carry three crew and up to four passengers while cruising at up to 30 knots.

Continue reading

We've found another reason not to use Microsoft's Paint 3D – researchers

Scream if you wanna go raster: Vulnerability uncovered in unloved software

As Microsoft preps the next version of Windows, a hole has been spotted in an earlier Great Hope for the company: MS Paint 3D.

The raster graphics and 3D modelling app was part of Microsoft's Creators Update back in 2016 and was released in 2017. The idea was that users would embrace its support for 3D objects and ditch the ancient Microsoft Paint (first introduced with Windows 1.0) for the new shiny.

Things did not turn out quite that way, and Microsoft Paint continues to endure while Paint 3D looks set to follow many of the company's ambitions, ultimately shuffling quietly off into the graveyard where Zune, Band and Media Center are buried.

Continue reading

Systemd 249 release candidate includes better support for immutable OSes and provisioning images

Along with a slew of other new features

Systemd maintainer Lennart Poettering has committed code for RC1 including a huge number of new features.

Releases tend to come around every four months, with the last being Systemd 248 on 30 March. It is an alternative to the Linux init daemon but with much greater scope; its documentation describes it as "a suite of basic building blocks for a Linux system."

Most but not all Linux distros have adopted systemd – including Debian, SUSE, Red Hat (and its variants Fedora and CentOS), and Ubuntu. Debian can be run without systemd, and Devuan is a fork of Debian that specifically avoids it.

Continue reading

Cuffed: Ukraine police collar six Clop ransomware gang suspects in joint raids with South Korean cops

Cobalt Strike and Flawedammyy RAT named as favoured tools

Ukrainian police have arrested six people, alleged to be members of the notorious Clop* ransomware gang, seizing cash, cars – and a number of Apple Mac laptops and desktops.

"It was established that six defendants carried out attacks of malicious software such as 'ransomware' on the servers of American and [South] Korean companies," alleged Ukraine's national police force in a statement published at lunchtime today.

Continue reading

Spacewalk veterans take a trip outside the ISS to pump up the power with new solar arrays

Lego ISS fans, look away now

International Space Station (ISS) astronauts are venturing out of the orbiting outpost today to replace its ageing solar arrays.

It is an international effort, with NASA's Shane Kimbrough and ESA's Thomas Pesquet exiting the lab's Quest airlock to deploy the first of six arrays (dubbed ISS Roll-Out Solar Arrays – iROSAs) that should boost the power supply of the station and keep things ticking over until decommissioning time.

Two of the new arrays arrived in SpaceX's latest Dragon cargo spacecraft and were plucked from the freighter's trunk by the ISS's robotic arm. Kimbrough and Pesquet will work first on the far end of the left (port) side of the station's truss to install the first array and venture out once more on Sunday 20 June to install the second.

Continue reading

Open-source projects glibc and gnulib look to sever copyright ties with Free Software Foundation

Project maintainers follow GCC in dropping copyright assignment requirement

The GNU C Library (glibc) and GNU Portability Library (gnulib) are laying the groundwork to divorce themselves from the troubled Free Software Foundation by removing the requirement for copyright assignment.

This move follows in the footsteps of the same shift by the GNU Compiler Collection (GCC) on 2 June.

Like many projects under the GNU umbrella, glibc and gnulib – the GNU Project's C standard library and a collection of subroutines designed to ease cross-platform porting respectively – allow anyone to contribute code. Those doing so are asked to assign copyright to the Free Software Foundation – for now, at least.

Continue reading

Papa don't breach: UK data watchdog fines that other pizza place £10,000 over unsolicited marketing blitz

Papa John's falls foul of 'soft opt-in' exemption in PECR rules

Pizza takeaway and delivery outfit Papa John's has been fined £10,000 by the UK's data watchdog for sending marketing fluff to punters without their say-so.

Following a year-long investigation, the Information Commissioner's Office (ICO) found that the company had sent 168,022 "nuisance marketing messages to its customers without the valid consent required by law."

One of the unnamed complainants said they had "never [given their] consent for marketing text messages" resulting in "distress."

Continue reading

British Medical Association calls for clarity on patient deadline for opting out of NHS Digital's GP data grab

Did health service's tech arm give a cut-off date for doctors to process forms? Apparently not

The British Medical Association (BMA) has criticised NHS Digital for its lack of clear communication over the opt out deadline for its postponed mass extraction of 55 million people's GP data in England.

The call for clarity follows the government's decision to delay the implementation of NHS Digital's data haul - the General Practice Data for Planning and Research (GPDPR).

NHS Digital said it would push back the data collection process from 1 July to 1 September, but has not told the public the deadline by which they can opt out of what has been called the "biggest data grab in NHS history," leaving GPs responsible for informing patients how long they might take to process opt-out requests.

Continue reading