A non-password protected database belonging to data broker SL Data Services has exposed more than 600,000 sensitive files. The exposed records include:
- Full names (including first, middle and last)
- Family members
- Home addresses
- Phone numbers
- Email addresses
- Employment details
- Social media accounts
- Court records
- Criminal history records
- Vehicle records (such as license plate and VIN)
“It is exceptionally frustrating to see events such as this in modern times where encryption of files is a trivial process yet has been ignored by an organization whose primary purpose is the collection of sensitive information,” says Erich Kron, Security Awareness Advocate at KnowBe4. “In addition, allowing an unprotected folder to be available directly from the internet is a major lapse in security. The icing on the cake is the failure to take a report of this exposed data seriously when the researcher attempted to disclose it. The information found in these files can be especially useful to social engineers who want to create email, text or voice phishing campaigns. The more information the social engineer has about an individual, including significant events in their life, past addresses and phone numbers, etc., the more authentic they can make their attacks seem, the more likely a target is to become a victim.”
At this time, it is unknown how long the database was exposed or if anyone other than Cybersecurity Researcher Jeremiah Fowler gained access to it. Nonetheless, individuals should be aware that their personal information may be held by various data brokers and take the necessary steps to protect their privacy.
Chris Hauk, Consumer Privacy Champion at Pixel Privacy, comments, “Incidents like these are the reason I strongly suggest requesting to have your personal information removed from as many data brokers as you possibly can. Data brokerage databases are a popular target among bad actors, simply because of all of the data available in the databases, and that many times, data brokers do not properly secure their data pots, either from ignorance or neglect. While it can be quite time consuming to request that your data be removed from the thousands of data brokers files, there are services that will make the removal requests for you, track to ensure the removal has been performed, and inform you of the progress being made in removing the data.”
Organizations should also be proactive about protecting stored data. Kron states, “Organizations that handle large amounts of potentially sensitive information for individuals should take extreme care in the storage and collection of the information. Data encryption is not an option and processes and controls to verify permissions on folders, especially those in the cloud, are absolutely a necessity. Having a program in place that allows someone to report a potential leak or security concern should be an easily found and accessed part of every organization that handles sensitive data. Whether it's a form on the website to make a report, or a process in which customer service individuals can gather information and forward the report to a security team, the ability to handle responsible reporting should be a priority.
“Although it's not known if bad actors accessed the database and pilfered the information, individuals that are potentially affected should be notified and should be very cautious with unsolicited emails, text messages, or phone calls in the foreseeable future.”
