"Credit repair". That sounds like a business Al Capone would have been proud to run. Probably similar business model too.
The National Credit Federation, a US credit repair biz, left 111GB of thousands of folks' highly sensitive personal details exposed to the public internet, according to security researchers. In yet another AWS S3 configuration cockup, Americans' names, addresses, dates of birth, photos of driver licenses and social security …
Saturday 2nd December 2017 11:49 GMT Anonymous Coward
Capone would be proud of this lot
Probably similar business model too.
It is exactly that model.
I have had letters from a so-called "debt management" company essentially saying that they would do their damnedest to make sure I wouldn't get a new job or a new appartment unless I paid up first. They didn't seem to give a flying fuck about court orders saying I didn't have the funds to pay.
Continuous harrassment on top, but as I said, they ignore court orders.
Jail time is needed to stop this kind of abuse.
Sunday 3rd December 2017 17:05 GMT TheVogon
Re: Capone would be proud of this lot
"I have had letters from a so-called "debt management" company essentially saying that they would do their damnedest to make sure I wouldn't get a new job or a new appartment unless I paid up first."
I suspect they were just telling you the potential impact of a poor credit history and / or court debt judgements. They might have implied it was directly them to get you to pay their debt as a priority, but unless they are the creditor or they take you to court in reality it's your credit record.
"Continuous harrassment on top, but as I said, they ignore court orders"
Well in the UK at least if you tell them the debt is disputed and not to contact you again, it's illegal for them to harass you.
Other court orders are likely irrelevant unless they pertain to this specific debt or you are declared bankrupt or protected while your assets are assessed. And a court observation that you don't currently have funds to pay doesn't stop them pursuing you when you do.
Guessing you are in the US see:
Sunday 3rd December 2017 16:53 GMT TheVogon
Monday 4th December 2017 06:02 GMT Lysenko
"when they accidentally configure S3 buckets to be public"
How could you ever do that accidentally? It takes deliberate effort.
True, but in fairness, one has to note that the AWS security interface is viciously user-hostile for the sort of amateur who Amazon encourage to play with the system out. I don't think it is entirely coincidental that all these leaks seem to be AWS rather than OneDrive, DropBox, GDrive or any of the other clouds like Azure. There should be big red switches on the primary configuration screen, explicitly labelled "Allow access to all Internet users?" with a confirmation dialog noting:
"If you are storing any personal information regarding individuals, activating this feature may be illegal in your jurisdiction, potentially leading to unlimited fines and/or imprisonment."
Saturday 2nd December 2017 11:31 GMT Anonymous Coward
Sunday 3rd December 2017 00:15 GMT Anonymous Coward
Sunday 3rd December 2017 18:48 GMT Tom 7
Re:You can't legislate anti-stupidity behind the keyboard
No, but you can encourage people to put procedures in place to counteract the stupidity. Having your arse handed to you by the courts can encourage company bosses to actually ensure the stupidity is procedured out to the point of it being near impossible.
Sunday 3rd December 2017 17:11 GMT Anonymous Coward
"This is becoming a huge problem and there really needs to be legislation that makes the companies and directors legally responsible. "
There is and they are. Currently it's covered by the Data Protection Directive and from next year its the General Data Protection Regulations. The potential fines are vast and deliberate infringement can result in prison time.
Sunday 3rd December 2017 20:36 GMT Anonymous Coward
The GDPR is a very good start but it depends on how it's implemented and whether they follow through with the fines because what happens when you have a "too big" company like google, microsoft or facebook? Could they threaten to pull services in the EU in response and what would the EU's response to that be?
Deliberate infringement would be very hard to prove, just because someone didn't apply a security patch or something like that would not be classed as deliberate infringement. I can't really see where deliberate infringement could apply because then you would be trying to harm your own company which is never going to happen.
Wednesday 6th December 2017 22:13 GMT TheVogon
"The GDPR is a very good start but it depends on how it's implemented"
We already know that - the laws are in place and take effect next year.
"because what happens when you have a "too big" company like google, microsoft or facebook? "
As they all have offices in the EU fines would be easily enforceable
"Could they threaten to pull services in the EU in response"
Presumably they could.
"and what would the EU's response to that be?"
I would guess it would be- "go on then". The EU is after all a larger market in terms of both population and GDP than the US.
Saturday 2nd December 2017 12:05 GMT RichardEM
Putting someone in jail for maybe 2-5 years while there families can get on with there lives I don't believe has been shown to have any real effect on the companies that have OUR DATA.
Until there are real consequences to the upper management of these companies (as part of that group of people I mean those that allocated what to spend to protect OUR DATA) such as large monetary penalties that are not covered by company or personal insurance so the people responsible, and their families, can feel the consequences of not doing everything that is necessary to protect the customers sensitive data. as part of that group of people I mean those that allocated what to spend to protect OUR DATA
Saturday 2nd December 2017 13:07 GMT Mark 110
Not identities worth stealing
"The data store would have been a treasure trove for identity thieves and fraudsters, although there is no evidence information was lifted by miscreants."
Maybe. Not really much point in stealing the identities of people that need help with their credit score. Its still incredibly clumsy though.
Saturday 2nd December 2017 13:22 GMT Anonymous Coward
I'll bet they had nothing to hide...
I'm starting to sound like a broken record because I've posted something like this quite a few times now but yah, they keep providing us with good examples.
See title: I'm pretty sure their customers had nothing to hide, but as always that's not the primary concern when it comes to privacy and such. The real concern is how the other party is going to (ab)use all the collected data.
And here we are, once again an excellent example. Let the identity theft games begin!
Ironic isn't it: if you want to store information related to credit cards you'll have to go through a ton of hoops (PCI compliancy for example) before they'll let you off the hook. And the credit card companies themselves? Well, they seem to have no problems with just dumping all their data onto a public storage facility.
If an individual does this there'd be massive fines to pay, but I'm sure that's all "different" for these guys.
Saturday 2nd December 2017 15:35 GMT Anonymous Coward
Yet they are still rushing
to move everything into the Cloud.
How many more breaches (and subsequent loss of PR and Fines) like this will companies need before they stop and think that this might not be a good decision.
Sadly, they won't stop and more breaches will happen. Repeat and rinse.
Saturday 2nd December 2017 16:09 GMT a_yank_lurker
Re: Yet they are still rushing
My problem with the cloud is very sensitive data does resides on someone else's hardware. Aside from misconfigured databases and services, if you do not own the hardware you really do not control the data.
Kim Dotcom got into trouble as Megaupload contracted storage out and one of the companies was US based.
Saturday 2nd December 2017 23:08 GMT DougW
Monday 4th December 2017 04:14 GMT Winkypop
Tuesday 5th December 2017 13:16 GMT Nimby
Basic Security 101 - Failed
The problem is that companies don't even follow basic security practices for handling this kind of data. The cloudy bitbucket is bad enough, but even then, had the data been properly encrypted, hashed, salted, with important columns separated into separate databases on unique servers / buckets, then the damage of exposure (whether hack or just bad configuration open to world + dog) would be minimal.
How many more decades do we have to go before companies are held significantly liable just for the fact of not storing the data according to basic security practices defined ages ago?
I'm not even asking for anything interesting or advanced. Just Basic Security 101 would be a massive improvement over "one server, one database, unencrypted, unprotected, open to world".
Wednesday 6th December 2017 22:16 GMT TheVogon
Re: Basic Security 101 - Failed
"How many more decades do we have to go before companies are held significantly liable just for the fact of not storing the data according to basic security practices defined ages ago?"
They already are responsible and there have been plenty of fines. The GDPR makes the fines vastly larger from next year. And makes the requirements much more specifically defined.