600,000 background checks leaked from publicly accessible database
More than 600,000 court records and other confidential documents were leaked after an information research provider left a confidential database accessible to the public.
As cybersecurity researcher Jeremiah Fowler discovered, SL Data Services/Propertyrec, an investigation firm that deals with criminal records and real estate property information, left a database without encryption or password protection, exposing 713.1 gigabytes of data .
The database contained 644,869 PDF files containing primarily background checks as well as court records, vehicle records including VIN numbers and license plates, and ownership records.
According to Fowler, 95 percent of the data samples he accessed were labeled “background checks” and contained personal data, including full names, phone numbers, home and email addresses, social media accounts, criminal history, employment history and family member information. .
Before publishing his findings, Fowler sent a disclosure notice to SL Data Services/Propertyrec about the breach, to which he received no response. However, the database was protected and access was restricted.
Fowler also noted that from the week from the discovery of the database until access was restricted, the database grew by 151,058 records, from 513,876 to 664,934.
“These background checks are likely to be conducted without the knowledge or consent of the person under review,” Fowler said.
“In the United States, court records and sex offender status are generally considered public records. However, when combined with enough data points, attackers could potentially reconstruct complete profiles of those individuals, their associates, employers or family members.
“Hypothetically, background checks could provide criminals with additional information that could be used to launch targeted phishing attempts or social engineering attacks. “Criminals could potentially leverage information about family members, employment or criminal cases to obtain additional sensitive personal information, financial data or other privacy threats.”
He also noted that while SL Data Services/Propertyrec said it offers access to documents for as little as $1 per search, users who use the service sign up for a monthly subscription without their knowledge.
At this stage, it does not appear that the threat actors have used the exposed database to launch other cyber attacks.