Crooks Threaten To Leak 3 Billion Personal Records 'Stolen From Background Firm'

An anonymous reader quotes a report from The Register: Billions of records detailing people's personal information may soon be dumped online after being allegedly obtained from a Florida firm that handles background checks and other requests for folks' private info. A criminal gang that goes by the handle USDoD put the database up for sale for $3.5 million on an underworld forum in April, and rather incredibly claimed the trove included 2.9 billion records on all US, Canadian, and British citizens. It's believed one or more miscreants using the handle SXUL was responsible for the alleged exfiltration, who passed it onto USDoD, which is acting as a broker. The pilfered information is said to include individuals' full names, addresses, and address history going back at least three decades, social security numbers, and people's parents, siblings, and relatives, some of whom have been dead for nearly 20 years. According to USDoD, this info was not scraped from public sources, though there may be duplicate entries for people in the database.

Fast forward to this month, and the infosec watchers at VX-Underground say they've not only been able to view the database and verify that at least some of its contents are real and accurate, but that USDoD plans to leak the trove. Judging by VX-Underground's assessment, the 277.1GB file contains nearly three billion records on people who've at least lived in the United States -- so US citizens as well as, say, Canadians and Brits. This info was allegedly stolen or otherwise obtained from National Public Data, a small information broker based in Coral Springs that offers API lookups to other companies for things like background checks. There is a small silver lining, according to the VX team: "The database DOES NOT contain information from individuals who use data opt-out services. Every person who used some sort of data opt-out service was not present." So, we guess this is a good lesson in opting out.

when they say...

[bugs2squash]

when they say pilfered, do they mean repilfered, re-repilfered ?

Re: when they say...

[wgoodman]

Does it really matter? Someone will offer credit monitoring so long as you give them even more data, and nothing else will change. Until the company AND the board is on the hook for not giving a damn about security, absolutely nothing will change.

No more of the bs Republican laws that corporations are people with none of the liabilities of actual people. Flame me all you want, citizens united was R policy.

Re:

[iAmWaySmarterThanYou]

Citizens United was a court case, not a law.

If you don't know such a basic fact please step aside for the adults to talk.

I'm absolutely opposed to the USSC ruling in CU but having people like you as intellectual allies is not helpful.

Re:

[iAmWaySmarterThanYou]

Slashdot: where posting well known facts is trolling.

Brilliant effort, guys.

Re:

[Ol Olsoc]

Slashdot: where posting well known facts is trolling.

Brilliant effort, guys.

You noticed that as well, eh? We do live in a post-truth age indeed.

Re:

[iAmWaySmarterThanYou]

Fortunately this is a dead site with zero influence. If that sort of idiocy occurred on a site where millions of real people got their news we'd be deep into harmful propaganda disinformation territory.

Re:

[Ol Olsoc]

Fortunately this is a dead site with zero influence. If that sort of idiocy occurred on a site where millions of real people got their news we'd be deep into harmful propaganda disinformation territory.

Having been here a few years now, it isn't what it used to be. There have always been some kooks, but now they appear to be a much larger percentage. And having seen the eternal September results on Usenet, it might just be happening now. Once upon a time, you had to be pretty smart to get in on the internet. We did have our kooks, but at least they were smart kooks. Today, just go to Best buy - or even worse, your local smartphone store, and there we go. Set ya right up! We can still get insightful peopl

Re:

[iAmWaySmarterThanYou]

It's worse than you might realize. I was here at the start. My buddy was telling me to create an account while 3 digit UIDs were still available. I didn't care; I posted anon for years until accounts were required. Cmdr Taco really cared about the site and it showed. I honestly hope he cashed in big time, he earned it.

Back in the early days the editors cared, the stories were relevant, the clowns were overwhelmed by thousands of highly intelligent and well spoken people from across every discipline ima

Re:

[iAmWaySmarterThanYou]

It wasn't a law.

Re:

[iAmWaySmarterThanYou]

Dummy, that was my entire point on this thread.

Are you ESL or you must saw my name and your eyes turned red and steam came out of your ears and you just had to slap that reply button to get your digs in.

You just clowned yourself but hey, expected from someone like you.

Another Tuesday, another fish dead in a barrel.

Re:

[slacktide]

How absolutely precious! You think that judges do not legislate from the bench.

Re:

[iAmWaySmarterThanYou]

CU was not a law.

Thanks for participating.

Re:

[MachineShedFred]

Absent any legislation from Congress to change the status quo, the majority opinion of the court becomes de facto law until another opinion by the same court changes it a la Roe v Wade being mooted by Dobbs.

So no, not "technically" a law, but enforced the same as one in lower courts (read: every court except SCOTUS) through legal precedent should anyone else try to bring a court case in the same context.

As it turns out, it would be easier to get rid of it, if it was simply a law.

Re:

[iAmWaySmarterThanYou]

Thank you. What you said is correct and I fully agree with you. What the person I was replying to said was not. The difference is critical.

Courts interpret current law. We may end up with an unwanted or unexpected interpretation. Congress has the power to fix that if they want. The fact Congress has not done a thing about CU is not unexpected but is frustrating and disappointing and I blame both parties. Laying this at the feet of one party is some combination of childish and ignorant as to how our s

Re:

[Tokolosh]

No taxation of corporations without representation!

Re: when they say... and more

[gabrieltss]

Citizens United along with the 16th Amendment (giving Corporations "person-hood") should be shut the F! down!

Corporations ARE NOT people, their are a piece of paper - period.

Citizens United should have NEVER been allowed.

All of this is pure BS!

Re:

[Ol Olsoc]

Does it really matter? Someone will offer credit monitoring so long as you give them even more data, and nothing else will change. Until the company AND the board is on the hook for not giving a damn about security, absolutely nothing will change.

No more of the bs Republican laws that corporations are people with none of the liabilities of actual people. Flame me all you want, citizens united was R policy.

Ugh. Depending on who does them, background checks have a whole lot of data that can be embarrassing. While if it is the standard State Police check, they look at criminal convictions. If it is a DoD/FBI check, they have interviews with neighbors and friends and people who may not be friends at all. And if you were foolish enough to lie about something, and they find that out - oh, your entire life is going to be opened. I worked with a woman who lied about smoking weed, got caught, and it was off to the ra

Re:

[Kisai]

Every single person with a paypal account pretty much.

No worries

[JustAnotherOldGuy]

No worries folks, as long as you opted out of every single thing you ever had a chance to opt-out of, plus opting-out of all the other ones you didn't know about.

tl;dr, Your info (at least some of it) is probably in there.

Re:

[Tony Isaac]

And your info is already out there, for sale, through some other breach or breaches that have already occurred.

The lesson is another one

[Opportunist]

That opt-in should be the only acceptable option.

Re: The lesson is another one

[wgoodman]

Opt in/out makes no difference when the absolute worst case scenario is paying a tiny percent of the profits made by ignoring what the consumer chooses.

Re:

[Tony Isaac]

How do you opt out of a background check, exactly?

Sure, opt out, and get no job. That's not really an option to opt out.

Except...

[xlsior]

Looks like that "opt out" ability only applies to residents of California, Virginia, Colorado, Connecticut, or Utah.

Re:

[schwit1]

The Virginia data privacy law has no teeth. There is no private right of action. Only the AG can initiate a suit against the data companies.

You guys believe this?

[backslashdot]

Do they mean just checking the "opt out" box on forms? Or are they talking about the companies that remove your data from brokers? If so, maybe those data opt out handling services are behind this leak? That's the most funny outcome so likely true. https://www.google.com/search?... [google.com]

Re:

[OrangeTide]

I think if I "opt out" that I ought to be able to sue for damages when they ignore me.

Hellfire missiles for the hackers and the hacked

[iAmWaySmarterThanYou]

They had no business sitting on the PII of billions of people, then doubling down on stupid by having that data accessible via public net.

Re:

[kid_wonder]

by having that data accessible via public net.

Do you know what the interwebs are?

Bugs.

[stooo]

>> Do you know what the interwebs are?
Yep. it's the tiny openings in the spider's cobweb, a "bug" might slip through unharmed.

Re:

[iAmWaySmarterThanYou]

Yes and do you know what an air gap network is?

Jfc this is /. You have a low 5 digit UID.

Do better.

Re:

[bill_mcgonigle]

> Yes and do you know what an air gap network is?
>
> Jfc this is /. You have a low 5 digit UID.
>
> Do better.

He has the wisdom to understand that when a quick API is profitable that an air-gapped manual process will not be required.

You seem to believe in idealism which isn't reality-based.

Anyway the reckoning of identity verification seems to be coming which will be bad before it's good.

Right now only the wealthiest crimnal gangs can afford to steal your social identity so they are allowed to d

Re:Hellfire missiles for the hackers and the hacke

[iAmWaySmarterThanYou]

No, I believe when these companies do stupid shit there should be severe penalties that override any potential profit motive for being fuckups in a way that hurts everyone but them while they cash in.

That's not idealism. It is a desire for requirements, standards, laws and regulations with real teeth. To say this isn't possible is cynicism brought about by a sense of hopelessness. We have successfully implemented standards for all sorts of far less important things. This is just newer and hasn't gotten there yet but it will.

After that, hellfire missiles for failure would be appropriate. That would overcome the profit motive for fuckups.

Re:

[MachineShedFred]

Remember, Ashley Madison is still a business after choosing to doxx their entire subscriber base and ruining 35 million marriages in the process instead of shutting down and keeping the money they already had.

They now have more than double the subscriber count they had before their entire database and email host was dumped on the Internet for all to see and shame. People committed suicide behind that shit.

In the end, the almighty dollar wins, just as it always has.

Re:

[iAmWaySmarterThanYou]

Great example, I forgot about that one.

They belong on the hellfire missile target list, for sure. Near the top. That shit was more than just a data dump, it destroyed lives as you said. Real harm was done. And as usual, nothing happened.

I blame Congress and the government in general for not having any sort of laws or regulations with any teeth. Hell, it took years before they even said companies had to eventually let users know 'something might have happened'.

Re:

[Tony Isaac]

They actually were *in* the business of sitting on PII, that's how background checks work. Your suggestion would be like saying that credit rating agencies have "no business" collecting financial data about you. You like being able to get a home mortgage or a credit card? You can thank credit rating agencies, because without them, you wouldn't be getting those. You like being employed? Good luck without background checks. Both are necessary evils.

Re:

[iAmWaySmarterThanYou]

They have no business storing that data on public net.

I made no comment on their business model or the value of background checks.

Re:

[Tony Isaac]

That's like saying, they have no business using electricity from the public electricity grid. What are they supposed to do, store the data on machines that are air-gapped and not connected to anything? Oh wait, then they couldn't get to it either, to do their jobs. Or maybe the entire operation should be disconnected from the net? Oh wait, then they couldn't make or receive phone calls or send or receive documents.

Being "on the net" is pretty intrinsic to the operation of doing background checks. You have t

Re:

[iAmWaySmarterThanYou]

Yes, they are supposed to isolate my data which I didn't give them permission to store in a safer way than they did.

If they can't manage that then that's their problem. They do not have the right to a business model that puts my private data which can be used to steal my identity in public.

If they can;t figure it out then they can go out of business.

I don't give a shit if they have to do everything on paper and fax machines. That's their problem, not mine.

Again, I do not owe them my data for their busines

Re:

[Tony Isaac]

I see you believe in some mythical perfect world. In the real world, businesses actually do need their data to be accessible, and that means, by definition, that it is (indirectly) connected to the net. Part of the process of doing a background check, involves requesting documents from those who are going through the background check. How would you suggest they receive those? What's going to happen, is that you upload PDFs to their web site, which can only be done if the web site is "on the net."

Essentially

Re:

[iAmWaySmarterThanYou]

No.

I believe they have a duty to protect my data. They failed to do so. Entirely at my expense. No real harm to them.

You seem to live in a world where the needs of incompetent businesses override your right to privacy and protection of your data. Your world is a dystopia and you're welcome to it.

Absolutely nothing about background checks requires my data be easily accessible via their hacked site.

And as I already said, if they can't manage to build a properly secure network then they can use photocopier

Re:

[Tony Isaac]

Where did you get the idea that this company failed to protect their data? The article didn't say so. And the breach itself is not evidence that the company was using inadequate security, any more than a bank robbery is evidence that the bank failed to implement proper security.

There is no evidence (at least none that the article reported) that this company made sensitive data "easily accessible" or failed to implement proper safeguards. That came from you, making statements you can't back up with facts.

The

Re:

[iAmWaySmarterThanYou]

They stored my data, they lost it. Their security was inadequate.

When a bank gets robbed, I don't lose my checking account. Totally different.

If the CEO was subject to jail time and personal fines if they lost my data you can bet your ass their security would have been much more serious.

They are not owed a business model based on my data. End of story.

Re:

[Tony Isaac]

As with all analogies, there are ways you can nit-pick the analogy to find discrepancies. The point of the bank robber analogy is to show that there is no such thing as perfect security. Not for any kind of valuable asset. None. Prove me wrong! Name a single exception! You can't.

Nobody is owed any business model. No one gives businesses their models. They make them.

You don't know that security was inadequate. The article didn't state this, and you don't have an alternative source. In other words, you made i

Re:

[iAmWaySmarterThanYou]

Did they have my data? Yes.
Did they lose my data? Yes.
Did they have my permission to have my data? No.
Will anyone get punished for them losing my data? History says no.

Knowing that the odds of punishment for not putting in better/more expensive security is near 0, we can safely assume they did not put in good security, especially given that they lost my data. I do not have to prove they had bad security. They have to prove they had good security. That will be tough considering they lost my data. I've y

Re:

[Tony Isaac]

Your four yes/no questions, I agree with.

Did they have to have your permission to have data about you? No.
Does losing your data mean they had bad security? No, it does not. Maybe they did, maybe they didn't, but this is not by itself enough data.

All this article proves, is that crooks were able to break in and steal. That's what crooks do, even if you have good security.

If this incident were sufficient to warrant shutting them down, every single business everywhere would have to shut down, because every bus

Re:

[iAmWaySmarterThanYou]

Did they require my permission? No. That is a legal flaw that can be changed.

They must prove they had sufficient security. It is not on me to prove they didn't, especially after a huge data loss. Until proven otherwise, it is very safe to assume they had shitty security.

If they can't make a good business -and- keep my data secure then they can go out of business and start a land scraping company or something where they can't hurt millions of people.

Re:

[Tony Isaac]

They must prove they had sufficient security

OK, so your argument is "because I say so." OK, got it, great logical argument.

In this country, we believe in "innocent until proven guilty" not "guilty unless proven innocent." So keep making your dictatorial statements, I'll never follow your lead, nor will the majority of Americans. Well, on second thought a whole lot of them want to make DJT a dictator, so maybe they would follow you.

Bad news for background check firms

[kid_wonder]

Now all that data might be free, not good for biz.

This data was already available for a fee, though probably a good idea to change all your passwords/pins that use birthdays or address info .. if you still do that sort of thing

Release the Schmooooo!!

[stooo]

Free all of the data!
Release the Schmooooo!!

Well, nice.

[Mr. Dollar Ton]

If the data of the officials that mis-legislate privacy are also in the data set, maybe they'll get careful the next time they consider privacy rules.

Look on the bright side

[93 Escort Wagon]

How much of this data do you think wasn't already out there, anyway?

Re:

[serafean]

> How much of this data do you think wasn't already out there, anyway?

Discuss why. Pencils ready, Go! You have four hours. Counts as half your final grade.

best practices & agile strike again!

[0xdeaddead]

Who could possibly imagine the predictable outcome?

Re:

[wyHunter]

I may be in the minority in software engineering, but honestly, I think agile has destroyed software feature/functionality, quality, and integrity. 10 "Oh we don't have time to think through what we want so let's throw something out there and see what sticks to the wall!" 20 "Oh we don't have time to re-engineer all this because we discovered that our initial agile ideas for design were wrong, so let's recreate a new product." 30 GOTO 10

Re:

[fyngyrz]

I think agile has destroyed software feature/functionality, quality, and integrity

While I agree with the end result you point out, Agile is certainly not single-handedly responsible for that. Plenty of other factors have contributed as well.

Who collected this data in the first place?

[misnohmer]

I think whoever collected this data and sold it to the company which got hacked should be liable. Sounds like a great class action lawsuit to me. It it's the US government, well, they should be more responsible with the data they collect and vet anyone they give it to, 100% tax credit for any fraud resolution costs for anyone on the compromised list - own up to it government, sorry, you'll be paying $500 per hour for lawyers to straighten out identify thefts, own your mistakes, maybe make identity theft a m

Re:

[Miles_O'Toole]

Corporations own the government. Why should the lackey pay all the consequences when those very corporations have bought legislation to ensure they won't have to face serious consequences for blatantly irresponsible behaviour?

Aren't we all already compromised

[kwelch007]

There have been so many of these XXX Million/Billion records compromised situations involving Government ID numbers and such that shouldn't we all just assume we've been compromised by now? At what point do we focus away from keeping that data private, and focus more on some secure way of identifying ourselves? I'm not certain the best way to do that in modern society. Not a big fan of using my immutable biometrics for that sort of thing, but I'm not sure I see any other options other than some complex M