22 Nov, 2019
A massive four-terabyte trove of sensitive personal data belonging to over a billion profiles has been found on an unsecured Google Cloud server – its owner still a mystery – in one of the largest single-source data leaks ever.
The mountain of data, including phone numbers, email addresses, and social media profiles, was sitting unprotected on an anonymous server hosted on the Google Cloud when security researchers Vinny Troia and Bob Diachenko found it while scanning for vulnerabilities last month. After they reported the massive exposure to the FBI, it disappeared within hours. It’s not clear who accessed it before Troia and Diachenko, and what they did with the data, but the sheer enormity of the leak, with 1.2 billion unique data profiles potentially slurped up by malicious actors, is enough to cause alarm.
The information was likely obtained in four chunks from so-called “data enrichment” companies, Troia suggested in a blog post on Friday announcing his discovery. These entities allow a customer to use a single piece of information on a person, even just their name, to access potentially hundreds more data points – anything from email address to preferred social activities. Two data enrichers – People Data Labs and OxyData.io – were discovered to be the sources for the data on the rogue server.
However, after communicating with both companies, Troia was satisfied that the server did not belong to either. Its owner could have bought the data from them and just left it lying around unsecured – without any further information about the server’s owner, there was little that could legally be done.
That doesn’t solve the problems of the 1.2 billion people whose private information is now floating around in the ether. Data enrichers pass the responsibility for securing the data they sell onto the customers as soon as the transaction is completed. If that customer’s security lapses, no one is responsible for telling the person whose data is now being pilfered by who knows how many malicious actors that they’ve – as a popular site for learning what your data is up to puts it – been ‘pwned.’ As usual, data privacy law lags far behind technology.