Crooks threaten to leak 3B personal records 'stolen from background check firm'
- Reference: 1717443374
- News link: https://www.theregister.co.uk/2024/06/03/usdod_data_dump/
- Source link:
A criminal gang that goes by the handle USDoD put the database up for sale for [1]$3.5 million on an underworld forum in April, and rather incredibly claimed the trove included 2.9 billion records on all US, Canadian, and British citizens. It's believed one or more miscreants using the handle SXUL was responsible for the alleged exfiltration, who passed it onto USDoD, which is acting as a broker.
The pilfered information is said to include individuals' full names, addresses, and address history going back at least three decades, social security numbers, and people's parents, siblings, and relatives, some of whom have been dead for nearly 20 years. According to USDoD, this info was not scraped from public sources, though there may be duplicate entries for people in the database.
[2]
Fast forward to this month, and the infosec watchers at VX-Underground say they've not only [3]been able to view the database and verify that at least some of its contents are real and accurate, but that USDoD plans to leak the trove. Judging by VX-Underground's assessment, the 277.1GB file contains nearly three billion records on people who've at least lived in the United States – so US citizens as well as, say, Canadians and Brits.
[4]
This info was allegedly stolen or otherwise obtained from National Public Data, a small information broker based in Coral Springs that offers API lookups to other companies for things like background checks. The biz did not respond to The Register 's inquiries.
[5]TransUnion reckons big dump of stolen customer data came from someone else
[6]Airbus suffers data leak turbulence to cybercrooks' delight
[7]Snowflake denies miscreants melted its security to steal data from top customers
[8]Cyber cops plead for info on elusive Emotet mastermind
There is a small silver lining, according to the VX team: "The database DOES NOT contain information from individuals who use data opt-out services. Every person who used some sort of data opt-out service was not present." So, we guess this is a good lesson in [9]opting out .
USDoD is the same crew that previously peddled a 3GB-plus database from [10]TransUnion containing financial information on 58,505 people.
And last September, the same criminals touted personal information belonging to [11]3,200 Airbus vendors after the aerospace giant fell victim to an intrusion. ®
Get our [12]Tech Resources
[1] https://x.com/H4ckManac/status/1777246310782902686
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zl48-8m1Pxh4-YSwxomyPAAAAE0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://x.com/vxunderground/status/1797047998481854512?s=46
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zl48-8m1Pxh4-YSwxomyPAAAAE0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2023/09/21/transunion_data_dump/
[6] https://www.theregister.com/2023/09/13/airbus_data_leak/
[7] https://www.theregister.com/2024/05/31/snowflake_breach_report/
[8] https://www.theregister.com/2024/05/31/cyber_cops_plead_for_info/
[9] https://www.nationalpublicdata.com/optout.html
[10] https://www.theregister.com/2023/09/21/transunion_data_dump/
[11] https://www.theregister.com/2023/09/13/airbus_data_leak/
[12] https://whitepapers.theregister.com/
That 'opt out link'
It should be made clear that the opt out page that Ms. Lyons linked-to in her report is only applicable to residents in California, Virginia, Colorado, Connecticut, or Utah. As I read it, the rest of the world has no rights to request data is deleted, corrected or not used for whatever purpose National Public Data see fit to put it to. Clearly, of the many that might have been 'leaked', relatively few ever had a right to opt out (IMHO it's very badly worded, has repeated clauses and poor punctuation; I stand corrected if I have somehow misinterpreted their intention).
I'm sure I can say with a fairly high level of confidence that the vast majority of, say, British people would have absolutely no idea their data might have ended up in a DB owned by National Public Data in the US. How, then, would someone go about making sure such information is redacted when they can't possibly know which organisations they need to ask?
If ever I am challenged to justify why I feel there needs to be international law supporting 'no data unless expressly opting in', this debacle and NPD's policy will form my keystone defences.
Edit: grammar corrections [ Ball boy ]
277.1GB from a "small" information broker
I shudder to think of how many "small" brokers there are, and how much data the big brokers have . . .
Something a bit odd here. 3B records < 300B bytes of data. That's not much data per record.
It's about time any business of this nature that can't keep control of its data is sued into oblivion along with all its directors and officers.