A significant data breach has been uncovered, revealing more than 600,000 sensitive files tied to various individuals. These records, which include criminal histories, background checks, and property details, were found in a non-password protected database belonging to SL Data Services, a data brokerage firm.
Security researcher Jeremiah Fowler discovered the exposed Amazon S3 bucket in October and acted quickly to alert the company. Over the course of more than two weeks, he made phone calls and sent emails every few days in hopes of remedying the situation. "Even when I would make phone calls to the multiple numbers on different websites and tell them there was a data incident, they would tell me they use 128-bit encryption and use SSL certificates – there were many eye rolls," said Fowler.
"Even when I would make phone calls to the multiple numbers on different websites and tell them there was a data incident, they would tell me they use 128-bit encryption and use SSL certificates – there were many eye rolls,"
His findings were alarming. The unprotected archive, totaling 713.1 GB, contained 644,869 PDF files. Approximately 95 percent of these documents were categorized as background checks. These records revealed detailed personal information, including full names, addresses, phone numbers, email addresses, and even criminal record histories. In some cases, details about serious offenses, such as sexual misconduct, were also included, presenting a wealth of information about individuals and their associates.
Fowler emphasized the dangers posed by such a data exposure. "The biggest risk in my opinion would be the way they compile a full picture and profile of an individual that is far beyond just the basic semi-public information that could be out there online," he noted. This level of detailed profiling could expose individuals and their families, or even people unrelated to those named in the background checks, to potential risks, including targeted phishing and social engineering attacks.
"The biggest risk in my opinion would be the way they compile a full picture and profile of an individual that is far beyond just the basic semi-public information that could be out there online,"
By the Numbers
Criminals could leverage the disclosed information to gain access to more sensitive personal data or financial details. Fowler explained, "As you know when it comes to phishing, the more information you have about a person, the better. Knowing things like employment, criminal records, and family members from one report raises a lot of security concerns."
**Related:** [APPlife Digital Solutions, Inc. Files Form S-1 Registration Statement](/article/applife-digital-solutions-inc-files-form-s-1-registration-statement)
After Fowler's efforts, SL Data Services eventually secured the S3 bucket, although he received no acknowledgment of his reports. Attempts by The Register to reach SL Data Services for further comment were unsuccessful.
A silver lining in this situation is that there remains no evidence indicating that criminals exploited the openly accessible database prior to its closure. However, the potential ramifications of such oversight are significant.
By the Numbers
Incidents like this are not isolated. Earlier this year, a background check firm experienced a severe breach, resulting in an estimated 2.9 billion sensitive records being put up for sale on a cybercrime forum for $3.5 million. Other reported breaches have exposed tens of millions of records due to negligence or inadequate security measures.
For instance, National Public Data acknowledged an intrusion leading to a massive data leak, which prompted its parent company, Jericho Pictures, to file for bankruptcy while admitting that "hundreds of millions" of individuals might be affected.
"hundreds of millions"
In a digital landscape where personal information is increasingly at risk, the incident involving SL Data Services serves as a stark reminder of the vital importance of robust security protocols. Organizations holding sensitive data must prioritize safeguarding it, to prevent such exposés and the ensuing risks to individuals and families.
