A database associated with SL Data Services, a U.S.-based data agent, has unveiled 644,869 delicate records online. The records contained personally identifiable details, property ownership information, vehicle documents, court records, and background check files, and they were devoid of password protection or encryption.
The exposure was identified by security researcher Jeremiah Fowler, who reported it to the assessment and cyber study platform WebsitePlanet. Fowler came across a portion of the documents stored in the 713.1 GB database and mentioned that 95% of them were categorized as “background checks.”
The documents encompassed full names, residential addresses, contact numbers, email addresses, job specifics, family connections, social media profiles, and criminal records. Fowler confirmed that some individuals mentioned in the documents resided at the addresses listed.
“This information gives an extensive profile of these individuals and raises potentially worrying privacy concerns,” he documented in a report.
Fowler speculated that a property dossier obtained from SL Data Services would be retained in a database that the client could access through a web portal. However, “if you know the file path, you are aware of where the documents are stored,” he conveyed to TechRepublic via email.
He further stated: “This organization utilized one database for multiple domains and implemented no division except for directories named after the website.”
Following Fowler’s alert about the exposure, access to the database was constrained for just over a week. Fowler was only able to communicate with call center representatives, who assured him that a breach would be infeasible as the company employs an SSL with 128-bit encryption.
Within that week, the number of records within the database surged by over 150,000. The duration for which the database was accessible publicly remains undisclosed, as well as whether anyone accessed it.
PERUSE: Data (Use and Access) Bill: What Is It and How Does It Impact UK Businesses?
Persons at risk of phishing attacks due to exposed data
The major concern surrounding the exposed data is the potential it provides for executing convincing phishing and social manipulation schemes. A delinquent may utilize the details to either impersonate or target an individual whose data was unveiled in a background check file.
“Criminals could potentially exploit information on family members, job status, or criminal cases to acquire further sensitive personal data, financial particulars, or other privacy hazards,” Fowler inscribed in the report.
Entities storing personal data ought to consistently scrutinize access logs for suspicious actions, like mass viewing or downloading of files. They should also abstain from employing PII in the file labeling method, as unauthorized individuals might be able to view them simply by opening the directory or file metadata. Utilizing random and encrypted identifiers as filenames is advised as an alternative.
Who is ‘SL Data Services’?
SL Data Services offers “all-encompassing real estate reports for residential properties throughout the US” and was founded in 2023, according to its authorized Better Business Bureau page. Nevertheless, certain evaluations imply deceitful practices, where individuals order a property report for $1 but then receive subsequent monthly charges on their credit card reaching up to $20, despite disavowing consent for a subscription.
Per Fowler, SL Data Services runs a network of approximately 16 websites. This is deduced by the fact that directories within the revealed database were named after distinct website domains.
PERUSE: 1.1 Million UK NHS Employee Records Exposed From Microsoft Power Pages Misconfiguration
Its Better Business Bureau page cites the alternate business moniker “propertyrecs.com LLC,” which seems to be another purveyor of property records. However, Fowler reached out to the company and was informed that they also furnish criminal checks, vehicle records, and death and birth records.
The reviews of the enterprise on Trustpilot imply that users of PropertyRecs frequently encounter a subscription fee that they did not deliberately sign up for, akin to SL Data Services.
In spite of the retraction of public access to the database, Fowler has not had any communication from SL Data Services or PropertyRecs. TechRepublic also attempted to reach out to the companies but did not receive any response. There is no confirmation validating that the revealed database is affiliated with SL Data Service, PropertyRecs, or a third-party contractor.
Information service providers prime targets for cyber intruders
This is not the initial occurrence this year of an information service provider faltering in sufficiently protecting its data. In August, a hacker leaked 2.7 billion data records from National Public Data, a background assessment service, on a dark web forum in one of the most substantial breaches in history.
It is speculated that assailants gained initial entry to National Public Data via an affiliated entity, RecordsCheck, which maintained an archive of plain text usernames and passwords for various components of its site, inclusive of its administrator. The archive disclosed that all the site’s users were allocated the identical six-character password by default, with numerous never changing it.
National Public Data has since initiated bankruptcy proceedings, asserting its inability to cope with the financial and reputational impairments stemming from the breach.
In 2023, TruthFinder and Instant Checkmate, two other background assessment firms, confirmed that 20 million of their clients had fallen victim to a data breach. They contend that the data was filched from the cloud storage of a former service provider.
“I have witnessed numerous cases of a moderately small company possessing access to extensive data and a lax approach to data security,” Fowler disclosed to TechRepublic. “It seems that numerous data agents invest in data but overlook investing in data protection mechanisms.
“Data is a valuable asset, and annually, a growing number of companies engage in the accumulation, sharing, and merchandising of information. When startups venture into the sector, like any business, they prioritize profits and revenue, often neglecting to construct a secure framework for managing and distributing their data.
“With regards to PII, there must be elevated standards and responsibility, necessitating greater oversight for firms entering this sector, and until regulatory measures are imposed, we will continue witnessing these data breaches.”
Fowler advises that before associating with a data agent, probe about their data storage protocols, as well as the frequency of penetration testing or vulnerability scans. “If the company values data protection, they will supply additional information or make someone available to address queries,” he informed TechRepublic.
About Author
