1 BILLION Identity Records Exposed – Who is Responsible?
Legislators around the world want everyone to validate their identity but there is a dark underside to this.
Researchers discovered an unprotected MongoDB database that seems to be tied to the identity verification service IDMerit. It contained a billion records including 203 million records of people in the United States. That is more than half of the residents of the US.
IDMerit’s website says that they use cool security measures (link) that are a game changer for stopping hackers.
But if that is true, how do you explain this database with a billion records in it that researchers say is tied to the company?
If you open a bank or brokerage account or a number of other accounts, the institution is required to “know your customer”. IDMerit is the company behind that for many companies.
On November 11th of last year researchers at Cybernews discovered the unprotected database. They informed IDMerit who shut off the unprotected access the next day.
While we would never want that situation to exist in the first place, they responded quickly. It did take them more than three months to notify people and there is probably an entire food chain of organizations that will be required to send out breach notices.
What was exposed was a significant amount of data:
- Full legal names
- Home addresses and postal codes
- Dates of birth
- National ID numbers (including Social Security numbers for US records)
- Phone numbers
- Email addresses
- Gender information
- Telecom metadata — mobile network information that enables SIM-swap attacks
- KYC/AML verification logs — timestamps, verification outcomes, compliance flags
- Internal breach history flags — notes indicating whether individuals appeared in prior breaches
- Risk assessment annotations
The expanse of the breach is also breathtaking:
| United States | 203 million+ |
| Mexico | ~124 million |
| Philippines | ~72 million |
| Germany | ~61 million |
| Italy | ~53 million |
| France | ~53 million |
| 20 other countries | Remaining records |
IDMerit says they run their platform but they don’t own, control or store customer data or the underlying data maintained by independent data sources.
SO how did they shut it down so quickly?
Clearly there are some dots that they would prefer we don’t connect.
Since identity information cannot be easily changed (most of us choose not to change our gender and none of us can (legally) change our date of birth, for example), it is useful for all sorts of crime. Some examples are:
- SIM swap attacks (stealing your phone number)
- Targeted phishing
- Synthetic identity fraud
- Account takeovers
This is only one of several major incidents at identity verification service providers in the last year or two.
What is interesting is that the regulators have not picked up on this yet.
No FTC investigation ANNOUNCED.
No State Attorneys General making press releases.
No GDPR authority raising hell.
Granted, this is early, so all of that may change. This is the first I have heard of this compromise.
What are some simple things you can do in light of this?
- Freeze your credit – this makes it harder for a hacker to open a new account in your name.
- STOP using text message (SMS) based authentication for any financial accounts. This is dependent on what the financial institution allows and most of them are more worried about more tech support calls than protecting your money, so this might not be a real option.
- Set a SIM lock on your phone with your carrier – this will block, at least most of the time, hackers moving your phone number to a phone they own.
- Monitor for suspicious activity – most financial institutions allow you to set all sorts of alerts for deposits, withdrawals, transfers, etc. Set the alerts low and look at them as soon as they come in.
- Watch for really convincing phishing emails. After all, these hackers have a lot of sensitive data.
- Consider paying for a service to monitor things. This is a time vs. cost tradeoff. You can do it yourself. Or you can pay someone else to do it.
- Be especially vigilant for texts or emails associated with “verified identity” accounts like banks.
Hopefully we will learn more about where this data was stored and why since they claim they don’t store it, but obviously someone very near them does. Stay tuned; we will update you if we learn more.
Credit: My Privacy Blog
by 