According to a recent discovery by a database connected to SL Information Companies, a prominent US-based data provider, a staggering 644,869 sensitive pieces of information have been found online. The stored data comprised sensitive details including personally identifiable information, property ownership records, vehicle information, court-related documentation, and background investigation reports, frequently compromised by the absence of robust password security and encryption measures.
A renowned safety researcher, Jeremiah Fowler, brought the matter to light and subsequently notified the esteemed website WebsitePlanet, which specializes in cybersecurity assessments and evaluations. Within the substantial 713.1 GB database, he identified a recurring theme among the stored documentation, revealing that a staggering 95% of records were categorized under “background checks”.
The paperwork in question encompassed a broad range of sensitive information, including full names, physical addresses, phone numbers, email addresses, occupational details, familial relationships, online profiles, and criminal record histories. The records confirm that individuals with specified names were indeed residing at the provided locations.
“This data provides a comprehensive profile of individuals, raising potentially concerning privacy questions,” he noted in his statement.
According to Fowler, a property report obtained from SL Information Companies could potentially be stored in a database and made accessible via a web-based portal for the customer’s use. One potential limitation is that “the file path determines where the documents are stored,” as he explained in an email to TechRepublic.
The speaker noted that this company employed a singular database to manage multiple websites, relying solely on folder categorization for organization.
Following Fowler’s notification to SL Information Companies about the publicity, access to the database was prohibited for more than a week. He was advised by reputable centre brokers that it would be impossible for there to be a breach because the company uses advanced SSL encryption technology featuring 128-bit security.
During that week, the array of information surged by more than 150,000. The extent of the database’s public accessibility remains unclear, as does any potential exploitation by unauthorized individuals.
Vulnerable users exposed to phishing threats as hidden data comes to light.
The primary anxiety surrounding this revelation lies in its potential to facilitate highly persuasive phishing and social engineering attacks. A skilled felon could potentially utilize the obtained data to convincingly impersonate or target an individual whose personal information was discovered through a background check document.
Criminals are likely to exploit sensitive information about individuals’ families, employment, or past convictions to obtain highly personal data, financial records, and other privacy vulnerabilities, according to the report written by Fowler.
Entities responsible for safeguarding sensitive information should consistently scrutinize access logs for anomalous activity, such as widespread file viewing or downloading. To prevent unauthorized access, they should refrain from incorporating Personally Identifiable Information (PII) in their file naming conventions, as this sensitive data may be compromised simply by accessing the directory or file metadata. By employing randomly generated and hashed identifiers as file names, you gain a significant advantage.
Who’s ‘SL Information Companies’?
Established in 2023, SL Information Companies provides comprehensive real estate reviews for residential properties across the United States, as stated on its official website. Despite some evaluations warning against deceptive tactics, certain reports suggest that unsuspecting customers are being tricked into signing up for ongoing monthly charges, with initial property report purchases escalating into recurring payments of up to $20 per month without their explicit consent.
According to reports, SL Information Companies manages a network of approximately 16 online platforms. It was due to the fact that folders within the uncovered database were labeled with distinct website domain names.
The Better Business Bureau webpage lists the business name as “propertyrecs.com LLC,” appearing to be another real estate data provider. Despite this, Fowler was told that the corporation also conducts criminal background checks, provides motor vehicle records, and offers death and birth certificates.
According to the corporation’s assessments, some PropertyRecs customers have been unintentionally billed for a subscription service, echoing similar issues experienced by SL Information Companies.
Despite the revocation of public access to the database, Fowler remains unaware of any communication from SL Information Companies or PropertyRecs. TechRepublic attempted to contact the companies involved but did not receive a response. There is no confirmation that the discovered database belongs to SL Information Service, PropertyRecs, or a third-party vendor.
Cybercriminals have their sights set squarely on information service providers as prime targets for exploitation.
Another year, another data breach: a major service provider’s inadequate safeguards expose sensitive information once again? In August, a notorious hacker breached the databases of a prominent background-checking service and published the stolen information on a darknet forum, resulting in one of the largest data breaches in history.
Attackers reportedly breached Nationwide Public Information by exploiting access to a sister platform, RecordsCheck, which stored an unencrypted repository of usernames and passwords for administrators, allowing unauthorized entry to the main site. According to the archive, all Positioning’s customers initially received a six-character default password; unfortunately, many failed to change it.
The Nationwide Public Information company has subsequently filed a lawsuit, alleging it cannot financially or reputationally recover from the harm caused by the data breach.
In 2023, two separate background-checking firms independently verified that approximately 20 million individuals were impacted by a data breach. According to authorities, the compromised data allegedly originated from the cloud storage of a defunct service provider, which they claim was breached by an unknown entity.
A small company may unwittingly gain access to vast amounts of data, often accompanied by inadequate cybersecurity measures, noted Fowler in an interview with TechRepublic. While many information brokers invest in acquiring information, they often overlook the importance of safeguarding their knowledge.
“Year after year, an increasing number of companies enter the industry of gathering, sharing, and marketing information, with its effectiveness proving paramount.” As new startups emerge, they often prioritize generating revenue over developing a robust data management infrastructure, leaving them vulnerable to potential breaches or inefficiencies in storing and transmitting sensitive information.
To ensure the protection of personally identifiable information (PII), it is crucial that there are stricter requirements and more stringent accountability measures in place. The influx of new firms entering this market necessitates enhanced oversight to address apparent concerns, and until robust laws are established, we can continue to expect such data breaches.
Before committing to a data vendor, investigate their data warehousing practices and regularity of penetration testing or vulnerability scans? “If a corporation prioritizes information security, they will designate a point of contact or provide additional resources,” he told TechRepublic.