November 27, 2024 at 01:07PM
Over 600,000 sensitive files, including personal criminal histories, were exposed online by SL Data Services in an unprotected database. Security researcher Jeremiah Fowler reported the issue, highlighting risks of phishing and social engineering. Although the database was eventually closed, the exposed information could severely impact individuals and their associates.
### Meeting Takeaways
1. **Data Exposure Incident**:
– Over 600,000 sensitive files, including criminal histories and background checks, were found in a non-password protected Amazon S3 bucket owned by SL Data Services.
– Total size of the exposed data was approximately 713.1 GB, comprising 644,869 PDF files.
2. **Duration of Exposure Unknown**:
– The duration for which the personal information was accessible remains unclear. The data breach was reported by security researcher Jeremiah Fowler, who attempted to contact SL Data Services repeatedly for two weeks without receiving a response.
3. **Data Leakage Risks**:
– The exposed files primarily contained detailed information such as full names, addresses, phone numbers, emails, employment details, family information, and criminal records.
– The risk extends to compiling comprehensive profiles of individuals, which could facilitate targeted phishing or social engineering attacks.
4. **Inadequate Security Measures**:
– The information was not encrypted and lacked appropriate password protection. The company claimed to use 128-bit encryption and SSL certificates without adequate evidence of security measures.
5. **Potential Impact on Individuals**:
– The data leak poses significant risks not only to the individuals directly affected but potentially to their family members and associates.
– Criminals could leverage this information to obtain further sensitive data, escalating security concerns associated with phishing attacks.
6. **Closure of Exposed Database**:
– SL Data Services eventually secured the S3 bucket, but no formal acknowledgment or response was given to Fowler who reported the incident.
– There is currently no evidence that the exposed information was accessed by criminals.
7. **Suggestions for Improvement**:
– Fowler emphasized the need for organizations to use random, hashed identifiers for file naming instead of easily searchable formats that contain personal information.
– Organizations should monitor access logs to catch unusual activity and implement stronger security practices, including the use of passwords and encryption to protect sensitive data.
8. **Company Information**:
– SL Data Services offers a range of data services, including property, criminal checks, and DMV records, across multiple websites.
– Each website appears to provide different aspects of data collection surrounding property and criminal records.
### Action Items
– Review and evaluate data security measures at SL Data Services.
– Consider implementing enhanced protocols for data access and storage.
– Follow up for a response from SL Data Services regarding the incident.