Security

Why is a 22GB database containing 56 million US folks' personal details sitting on the open internet using a Chinese IP address? Seriously, why?

If CheckPeople could take a look at this, that would be great


Exclusive A database containing the personal details of 56.25m US residents – from names and home addresses to phone numbers and ages – has been found on the public internet, served from a computer with a Chinese IP address, bizarrely enough.

The information silo appears to have been obtained somehow from Florida-based CheckPeople.com, which is a typical people-finder website: for a fee, you can enter someone's name, and it will look up their current and past addresses, phone numbers, email addresses, names of relatives, and even criminal records in some cases, all presumably gathered from public records.

However, all of this information is not only sitting in one place for spammers, miscreants, and other netizens to download in bulk, it's being served from an IP address associated with Alibaba's web hosting wing in Hangzhou, east China, for reasons unknown. It is a perfect illustration that not only is this sort of personal information in circulation, it's also in the hands of foreign adversaries.

A white-hat hacker operating under the handle Lynx discovered the trove online, and tipped off The Register. He told us he found the 22GB database exposed on the internet, including metadata that links the collection to CheckPeople.com. We have withheld further details for privacy protection reasons.

The repository's contents are likely scraped from public records, though together provide rather detailed profiles on tens of millions of folks in America. Basically, CheckPeople.com has done the hard work of aggregating public personal records, and this exposed NoSQL database makes that info even easier to crawl and process.

"In and of itself, the data is harmless, it's public data, but bundled like this I think it could actually be worth a lot to some people," Lynx told El Reg this week. "That's what scares me, when people start combining these with other datasets."

While CheckPeople.com also offers criminal record searches, Lynx did not find that information among the cache.

AWS has new tool for those leaky S3 buckets so, yeah, you might need to reconfigure a few things

READ MORE

The Register has repeatedly attempted to reach a human at CheckPeople to alert it to the leak, and the site's administrators have yet to respond. Its customer-support call center directed us to email the company, although our messages were subsequently ignored, it appears. Similarly, Lynx told us he has been unable to get hold of anyone beyond a third-party call center worker.

You would think a company trafficking in personal records would care a bit more about being able to be reached.

Whether this is data somehow siphoned from CheckPeople by a Chinese outfit and dumped lazily online, or a CheckPeople server hosted in China, is unclear.

However, under the laws of the People's Republic, government agencies can more or less search any machine at any time in the Middle Kingdom, meaning profiles on 56.5 million American residents appear to be at the fingertips of China, thanks to CheckPeople – we assume Beijing has files on all of us, though, to be fair.

Again, repeated attempts to contact CheckPeople for its side of the story were unsuccessful. Should the company decide to get in touch, we will update this story as needed. We have also pinged Alibaba to alert it to the exposed database, should it care about Americans' privacy. ®

Updated to add

An attorney for CheckPeople.com told us on Friday that the business is probing the matter:

CheckPeople is unaware of any database of information hosted in China or through Alibaba. CheckPeople’s records are stored in the United States on secure servers. However, CheckPeople takes security issues very seriously and is investigating this matter.

We understand the database has been removed from the Chinese server. Redacted screenshots of the records can be seen here.

Send us news
169 Comments

EU-US Trade and Technology Council meets to coordinate on supply chains

Agenda includes warning system for disruptions, and avoiding 'subsidy race' for chip investments

The EU-US Trade and Technology Council (TTC) is meeting in Paris today to discuss coordinated approaches to global supply chain issues.

This is only the second meeting of the TTC, the agenda for which was prepared in February. That highlighted a number of priorities, including securing supply chains, technological cooperation, the coordination of measures to combat distorting practices, and approaches to the decarbonization of trade.

According to a White House pre-briefing for US reporters, the EU and US are set to announce joint approaches on technical discussions to international standard-setting bodies, an early warning system to better predict and address potential semiconductor supply chain disruptions, and a transatlantic approach to semiconductor investments aimed at ensuring security of supply.

Continue reading

US cops kick back against facial recognition bans

Plus: DeepMind launches new generalist AI system, and Apple boffin quits over return-to-work policy

In brief Facial recognition bans passed by US cities are being overturned as law enforcement and lobbyist groups pressure local governments to tackle rising crime rates.

In July, the state of Virginia will scrap its ban on the controversial technology after less than a year. California and New Orleans may follow suit, Reuters first reported. Vermont adjusted its bill to allow police to use facial recognition software in child sex abuse investigations.

Elsewhere, efforts are under way in New York, Colorado, and Indiana to prevent bills banning facial recognition from passing. It's not clear if some existing vetoes set to expire, like the one in California, will be renewed. Around two dozen US state or local governments passed laws prohibiting facial recognition from 2019 to 2021. Police, however, believe the tool is useful in identifying suspects and can help solve cases especially in places where crime rates have risen.

Continue reading

RISC-V needs more than an open architecture to compete

Arm shows us that even total domination doesn't always make stupid levels of money

Opinion Interviews with chip company CEOs are invariably enlightening. On top of the usual market-related subjects of success and failure, revenues and competition, plans and pitfalls, the highly paid victim knows that there's a large audience of unusually competent critics eager for technical details. That's you.

Take The Register's latest interview with RISC-V International CEO Calista Redmond. It moved smartly through the gears on Intel's recent Platinum Membership of the open ISA consortium ("they're not too worried about their x86 business"), the interest from autocratic regimes (roughly "there are no rules, if some come up we'll stick by them"), and what RISC-V's 2022 will look like. Laptops. Thousand-core AI chips. Google hyperscalers. Edge. The plan seems to be to do in five years what took Arm 20.

RISC-V may not be an existential risk to Intel, but Arm had better watch it.

Continue reading

You can keep your old ERP system, but you'll still need ServiceNow, CEO tells <em>The Reg</em>

Bill McDermott thinks companies need workflow on top of enterprise apps, whether they replace them or not

Interview In a month that has seen nearly a fifth wiped from his company's share price, Bill McDermott is remarkably cheerful.

"I see growth everywhere," ServiceNow's CEO tells The Register.

For context, it is not just ServiceNow that is getting a rocky ride. Some estimates suggest Big Tech stock has lost $1 trillion in value in the last week, with all the big players down.

Continue reading

How CXL may change the datacenter as we know it

Bye-bye bottlenecks. Hello composable infrastructure?

Interview Compute Express Link (CXL) has the potential to radically change the way systems and datacenters are built and operated. And after years of joint development spanning more than 190 companies, the open standard is nearly ready for prime time.

For those that aren’t familiar, CXL defines a common, cache-coherent interface for connecting CPUs, memory, accelerators, and other peripherals. And its implications for the datacenter are wide ranging, Jim Pappas, CXL chairman and Intel director of technology initiatives, tells The Register.

So with the first CXL-compatible systems expected to launch later this year alongside Intel’s Sapphire Rapids Xeon Scalables and AMD’s Genoa forth-gen Epycs, we ask Pappas how he expects CXL will change the industry in the near term.

Continue reading

San Francisco police use driverless cars for surveillance

Plus: Tech giants commit $30m to open-source security, miscreants breach DEA portal, and US signs cybercrime treaty

In brief San Francisco police have been using driverless cars for surveillance to assist in law enforcement investigations.

According to an SFPD training document obtained by Motherboard [PDF]: "Autonomous vehicles are recording their surroundings continuously and have the potential to help with investigative leads."

It indicates that police officers will receive additional information about how to access this evidence, and added: "Investigations have already done this several times."

Continue reading

Lawyers say changes to UK data law will make life harder for international businesses

Concerns raised over government drive to implement distinct post-Brexit policy

Legal experts say UK government plans to create new data protection laws will make more work and add costs for business, while also creating the possibility of challenges to data sharing between the EU and UK.

Last week, the Queen's Speech – in which the British government sets out its legislative plans – said the ruling Conservative party planned to replace the EU's General Data Protection Regulation (GDPR) to ease the burden on business with an approach to data protection that encourages innovation while retaining protection of personal data and privacy.

Continue reading

September 16, 1992, was not a good day to be overly enthusiastic about your job

If I get in early and work hard, everyone will notice, right?

Who, Me? "The early bird trashes the business" is a saying that we've just made up, but could easily apply to the Register reader behind a currency calamity in today's episode of Who, Me?

Our hero, Regomized as "Mike", was working as a "data entry operative" for a tourism company in 1992. The company ran bus tours to the then brand-new EuroDisney, parent company of Disneyland Paris (now the most visited theme park in Europe), which had opened earlier that year.

Mike was an eager beaver, his youthful naivete having convinced him that if he worked extra hard, came in extra early, and kept the in-tray clear, then his efforts would be both noticed and rewarded with promotion and a bump in pay.

Continue reading

(Our) hardware is still key in a multicloud world, Dell ISG chief insists

IT giant may be shifting its focus to software and services, but systems remain the foundation

Analysis At this month's Dell Technologies World show in Las Vegas, all the usual executives were prowling the keynote stages, from CEO Michael Dell to co-COOs Chuck Witten and Jeff Clark, all talking about the future of the company.

Noticeably absent were the big servers or storage systems that for decades had joined them on stage, complete with all the speeds and feeds. Though a PC made an appearance, there was no reveal of big datacenter boxes.

It's a continuing scenario that is likely to play out to various degrees at user events for other established IT hardware vendors, such as when Hewlett Packard Enterprise later next month convenes its Discover show, also in Las Vegas. It's having to adapt to the steady upward trend in multicloud adoption, the ongoing decentralization of IT and the understanding that in today's world, data is king, Hardware is still needed, but the outcomes they deliver are what is most important.

Continue reading

Ad-tech firms grab email addresses from forms before they're even submitted

Researchers find widespread harvesting of info without consent

Tracking, marketing, and analytics firms have been exfiltrating the email addresses of internet users from web forms prior to submission and without user consent, according to security researchers.

Some of these firms are said to have also inadvertently grabbed passwords from these forms.

In a research paper scheduled to appear at the Usenix '22 security conference later this year, authors Asuman Senol (imec-COSIC, KU Leuven), Gunes Acar (Radboud University), Mathias Humbert (University of Lausanne) and Frederik Zuiderveen Borgesius, (Radboud University) describe how they measured data handling in web forms on the top 100,000 websites, as ranked by research site Tranco.

Continue reading

Arm CPU ran on electricity generated by algae for over six months

AA-battery-sized biological photovoltaic cell touted as ideal for IoT applications

Researchers at the University of Cambridge's Department of Biochemistry have run an Arm CPU for six months using algae as a power source.

As explained in a paper titled Powering a microprocessor by photosynthesis, the biochem boffins built an AA-battery-sized device that hosts an algae named Synechocystis that "naturally harvests energy from the sun through photosynthesis."

The boffins found a way to turn that harvested energy into current by using an aluminium anode, and fed it into a board hosting an Arm Cortex M0+ CPU.

Continue reading