In a significant privacy breach, a researcher has revealed that a data broker accidentally exposed 644,869 sensitive files within a publicly accessible cloud storage container. These records were stored in a massive 713.1 GB Amazon S3 bucket, which lacked password protection and encryption, making them vulnerable to anyone who stumbled upon the storage.
Among the files were thousands of vehicle records, property ownership reports, and notably, extensive background checks. The majority of these documents included crucial personal details, detailing individuals’ full names, home addresses, phone numbers, email addresses, employment histories, family information, social media accounts, and even criminal records.
Data brokers, like SL Data Services, specialize in amassing and selling personal information for profit. Marketing itself as a purveyor of real estate information reports, SL Data Services also disclosed via its support team their involvement in providing criminal checks, DMV records, as well as birth and death records.
The structure of the data organization in the container indicated a deliberate effort to segregate information by website domains. The company supposedly manages a network of around 16 different websites that offer various information services, including their property reporting tool, PropertyRec.
Background checks are often completed without the knowledge of the subjects involved, which poses a serious risk. As noted by the researcher, “I am not stating nor implying that Propertyrec’s customers or any individuals are at risk of impersonation, spear phishing, or social engineering attacks, I am only providing a real world risk scenario of how this type of information could possibly be exploited by criminals.”
The naming convention used for the exposed files further exacerbated the situation, with files labeled in an identifiable format such as “First_Middle_Last_State.PDF.” This made it alarmingly easy for unauthorized individuals to locate and access the documents pertaining to specific persons.
It took considerable effort on the researcher’s part, involving numerous calls and emails, to urge the removal of these exposed files from public view. Disturbingly, SL Data Services did not respond to the researcher’s inquiries, nor did they offer an explanation for the breach, leaving many questions unanswered.
Incidents like this raise critical awareness about the need for individuals to protect their personal information from data brokers. The process of removing personal data from these brokers can be intricate and time-consuming. While individuals may attempt manual opt-outs, this often requires significant ongoing effort to monitor and address data reappearances across various platforms.
Fortunately, data broker removal services have emerged to ease this burden. These services automate the task of discovering and eliminating personal information from data broker databases, scanning existing databases for individual data and submitting opt-out requests on their behalf. This provides a more thorough and continuous approach to privacy protection.
Race Results
Malwarebytes, for example, offers a Personal Data Remover service that aids users in deleting their information from search results, spam lists, people lookup sites, and data brokers, although it’s currently available only in the United States.
Looking Ahead
Looking into the future, incidents of this magnitude underline the essential need for enhanced cybersecurity measures and greater awareness about the risks associated with data brokers. Individuals must remain vigilant and proactive in managing their digital identities to safeguard their private information from unauthorized access and potential misuse.