600,000+ Sensitive Records Exposed From Background Checks Service Provider

A publicly exposed database has left the sensitive information of hundreds of thousands of individuals vulnerable to potential misuse.

Not protected by passwords or encryption, the database contained 644,869 PDF files, totaling 713.1 GB, exposing a treasure trove of personal information.

The data, mostly labeled as “background checks,” included a wide range of personally identifiable information (PII) such as full names, home addresses, phone numbers, email addresses, employment details, family connections, social media accounts, and criminal history.

This alarming exposure traces back to SL Data Services, LLC, which appears to operate a network of approximately 16 websites providing various information services.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Among these, Propertyrec stands out, a site known for property and real estate research data.

The breach not only suggests a lack of robust security measures but also raises serious privacy concerns, as the leaked information could potentially be exploited for targeted phishing attempts, social engineering attacks, or even identity theft.

The discovery was made by an independent security researcher who promptly sent a responsible disclosure notice.

Despite this, it took over a week for public access to the database to be restricted, during which time the number of documents grew from 513,876 to 664,934.

SL Data Services and Propertyrec did not respond to the disclosure notification or to subsequent inquiries before publication, leaving it unclear whether the database was managed by them directly or by a third-party contractor.

Sensitive Records Exposed

According to USA Today, Propertyrec is known for providing access to millions of public and private property records across the United States.

However, customer support confirmed that the company’s offerings extend to criminal checks, DMV records, and even death and birth records, as per a report by Website Planet.

Adding to the controversy, customer reviews suggest that users are often enrolled in a subscription service inadvertently, facing recurring charges instead of a one-off payment.

The exposed background checks likely occurred without the knowledge or consent of the individuals involved, amplifying the potential for abuse.

While court records and sex offender statuses are public in the U.S., the aggregation of this data with other sensitive information could allow malicious actors to construct comprehensive profiles for nefarious purposes.

This breach echoes the August 2024 National Public Data incident, where similar vulnerabilities led to hackers advertising stolen personal information on the dark web.

Given the persistent risk of significant breaches, experts urge companies to adopt more stringent data protection measures, such as using encrypted, randomized file identifiers rather than names or PII.

The ethical researcher behind the discovery emphasized that their actions were solely aimed at highlighting vulnerabilities and prompting corrective measures.

They eschewed any unauthorized activities, underscoring the importance of security awareness and the need for independent assessments to safeguard private data.

The incident serves as a stark reminder of the critical importance of cybersecurity, urging all organizations handling sensitive information to bolster their defenses and prevent future breaches.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar