A database linked to SL Data Services, a U.S.-based data broker, has exposed 644,869 sensitive records online. The records included personally identifiable information, property ownership details, vehicle records, court records, and background check documents, and they lacked password protection or encryption.
Security researcher Jeremiah Fowler discovered the exposure and reported it to the review and cyber research site WebsitePlanet. He observed a sample of the documents stored in the 713.1 GB database and said 95% were labeled as “background checks.”
Documents of this type contained full names, home addresses, phone numbers, email addresses, employment information, family members, social media accounts, and criminal record history. Fowler verified that some named individuals did live at their listed addresses.
“This information provides a full profile of these individuals and raises potentially concerning privacy considerations,” he wrote in a report.
Fowler believed that a property report ordered from SL Data Services would be stored in a database that the customer could access through a web portal. The only problem is that “if you know the file path, you know where the documents are stored,” he told TechRepublic in an email.
He added: “This company used one database for multiple domains and used no segmentation other than folders named after the website.”
Access to the database was restricted for over a week after Fowler notified SL Data Services of the exposure. He could only connect with call centre agents, who informed him that a breach would be impossible because the company uses an SSL with 128-bit encryption.
During that week, the number of records it contained increased by over 150,000. It is unknown how long the database was publicly accessible, nor if anyone accessed it.
SEE: Data (Use and Access) Bill: What Is It and How Does It Impact UK Businesses?
Exposed data puts individuals at risk of phishing attacks
The biggest concern surrounding the exposed data is the opportunity it creates for staging convincing phishing and social engineering attacks. A criminal can use the information to either impersonate or target an individual whose data was exposed in a background check document.
“The criminals could potentially leverage information about family members, employment, or criminal cases to obtain additional sensitive personal information, financial data, or other privacy threats,” Fowler wrote in the report.
Businesses that store personal information should consistently monitor access logs for suspicious activity, such as mass viewing or downloading files. They should also refrain from using PII in the file naming system, as unauthorised users may be able to read them simply by opening the directory or file metadata. Using random and hashed identifiers as filenames is recommended as an alternative.
Who is ‘SL Data Services’?
SL Data Services provides “comprehensive real property reports for residential real estate across the US” and was founded in 2023, according to its accredited Better Business Bureau page. However, some reviews suggest deceptive practices, whereby customers order a property report for $1 but then receive subsequent monthly charges to their credit card of up to $20 despite claiming not to have consented to a subscription.
According to Fowler, SL Data Services operates a network of an estimated 16 websites. This is because folders within the exposed database were named with separate website domains.
SEE: 1.1 Million UK NHS Employee Records Exposed From Microsoft Power Pages Misconfiguration
Its Better Business Bureau page provides the alternative business name of “propertyrecs.com LLC,” which appears to be another property records provider. However, Fowler called the company and was told it also provides criminal checks, motor records, and death and birth records.
The company’s reviews on Trustpilot indicate that PropertyRecs users are often charged a subscription fee they did not intentionally sign up for, similar to SL Data Services.
Despite the rescinding of public access to the database, Fowler has not heard from SL Data Services or PropertyRecs. TechRepublic also reached out to the companies but did not receive a response. There is no confirmation that the exposed database is owned by SL Data Service, PropertyRecs, or a third-party contractor.
Information service providers make prime targets for cyber attackers
This is not the first instance this year of an information service provider failing to adequately secure its data. In August, a hacker dumped 2.7 billion data records from National Public Data, a background-checking service, on a dark web forum in one of the biggest breaches in history.
It is thought that attackers gained initial access to National Public Data via a sister property, RecordsCheck, which hosted an archive of plain text usernames and passwords for different components of its site, including its administrator. The archive indicated that all the site’s users were given the same six-character password by default, but many never changed it.
National Public Data has since filed for bankruptcy, claiming it cannot withstand the financial and reputational damage that resulted from the breach.
In 2023, TruthFinder and Instant Checkmate, two other background-checking companies, confirmed that 20 million of their customers had been affected by a data breach. They claim that the data was stolen from the cloud storage of a former service provider.
“I have seen numerous instances of a relatively small company with access to massive amounts of data and lax data security,” Fowler told TechRepublic. “It appears many data brokers invest in data but not data protection technology.
“Data is valuable, and every year, there are more companies that get into the business of collecting, sharing, and selling information. When startups enter the market, like any business they are focusing on sales and revenue and often do not create a secure infrastructure to manage and deliver their data.
“When it comes to PII, there has to be higher standards and accountability, and companies entering this market need more oversight for obvious reasons, and until there are regulations in place, we will continue to see these types of data breaches.”
Fowler recommends that, before signing up to a data broker, inquire about its data storage methods and penetration testing or vulnerability scan frequency. “If the company takes data protection seriously, they will make someone available or provide additional information,” he told TechRepublic.
