Data broker exposes 600,000 sensitive files including background checks

A researcher has discovered a data broker had stored 644,869 PDF files in a publicly accessible cloud storage container.

The 713.1 GB container (an Amazon S3 bucket ) did not have password-protection, and the data was left unencrypted, so anybody who stumbled on them could read the files. The files not only contained thousands of people’s vehicle records (license plate and VIN) and property ownership reports, but also criminal histories, and background checks.

The majority of the records were labelled as background checks which contained full names, home addresses, phone numbers, email addresses, employment history, family members, social media accounts, and criminal record history.

Data brokers collect and sell your information, including financial, personal, behavior and interests, for profit. SL Data Services markets itself as a provider of real estate information reports. But when the researcher contacted its support team, they stated the company also provides criminal checks, division of motor vehicles (DMV) records, death and birth records.

Probably to organize the data to this end, the folders inside the container all had names of separate website domains. The company apparently operates a network of an estimated 16 different websites, offering a range of information services (e.g. PropertyRec).

Background checks can and are often done without the subject’s awareness. But with all the combined information about a person, it paints a very complete picture that insurance companies, advertisers, and even cybercriminals can use to their advantage.

The researcher explained:

“I am not stating nor implying that Propertyrec’s customers or any individuals are at risk of impersonation, spear phishing, or social engineering attacks, I am only providing a real world risk scenario of how this type of information could possibly be exploited by criminals.”

And to make things worse—if possible– the files had names that used the following format: “First_Middle_Last_State.PDF.” Which makes it incredibly easy for anyone, whether they are supposed to have access or not, to find a person of interest and read that file.

It took the researcher quite a few calls and emails to get the exposed data taken out of public sight, and SL Data Services never provided the researcher with a response, let alone an explanation how this could happen.

Don’t give up your information, remove it where you can

Unfortunately, incidents like this are commonplace, so it’s clear that we should take it upon ourselves to make sure our information can’t be found by data brokers.

Removing your personal information from data broker sites can be a complex and time-consuming process. While manual opt-outs are effective, they require considerable effort to keep up with new data entries and the reappearance of your information on various sites. This is where data broker removal services come in handy.

Data broker removal services are designed to automate the process of finding and removing your personal information from data broker databases. These services regularly scan known databases for your information and submit opt-out requests on your behalf, ensuring a more comprehensive and continuous protection of your privacy.

Malwarebytes offers a Personal Data Remover service (US only) that can delete your information from search results, spam lists, people search sites, data brokers, and more.