Security lapse or security blunder?– Private data of 56M Americans exposed from China is apparently taken from CheckPeople.com.
Security lapses are quite common nowadays and should not come as a surprise. But, there’s a difference between security lapse and blunder, and the recent incident is purely an example of the latter.
According to The Register, a white hat hacker using the Twitter handle @Lynx0x00 identified a database hosting personal sensitive data of over 56.25 million Americans. The database was stored on a computer in China using an IP address located in the Eastern Chinese region Hangzhou.
The NoSQL database is massive, according to the hacker as it contains roughly 22GB of private data, which includes sensitive information including past and present home addresses, real name, age, and relations as well as phone numbers. What’s worse is that the database is still available for public access without any authentication.
Upon further digging, it was identified that the computer was linked to the Internet via web hosting service facilitated by Alibaba. It can be termed as a grave security blunder because even researchers are perplexed regarding why the information was stored on a Chinese computer and made freely accessible to give spammers and extortionists a chance to exploit it.
The origins of the database are, however, identified. The data belongs to a Florida-based company CheckPeople.com.
This company offers an “easy-to-use platform” to help people find information about anyone from the real name, and phone number to relatives and even felonious records for a nominal fee. But, seems like you don’t need to visit this website and pay to get the desired information as the entire data is now stored and accessible on a Chinese computer.
In a statement to The Register, CheckPeople is looking into the incident.
“CheckPeople is unaware of any database of information hosted in China or through Alibaba. CheckPeople’s records are stored in the United States on secure servers. However, CheckPeople takes security issues very seriously and is investigating this matter,” the company said.
This, however, is not the first time when personal data of unsuspected users have been stored and exposed in such a manner. In fact, since 2017, personal details of millions of Americans have been leaked online including household-related data of 123 million individuals, 82 million citizens data in Elasticsearch breach and millions of SMS and personal information of millions of Americans in Microsoft Azure breach.