Cybercriminals threaten to leak all 5 million records from stolen database of high-risk individuals The World-Check database used by businesses to verify the trustworthiness of users has fallen into the hands of cybercriminals. The Register was contacted by a member of the GhostR group on Thursday, claiming responsibility for the theft. The authenticity of the claims was later verified by a spokesperson for the London Stock …
Then, when the next breach occurs, further work will "be underway".
Sometimes it would be so nice to be able to just stand those idiots in a line and slap all of them in one fell swoop.
I don't care that security is hard. You know that the database is critical. Get yourselves an $800 million dollar budget and secure the damn thing.
From my limited knowledge of this topic, there isn't really 'a database' to secure: this is not a central database that organisations consult to see if a potential customer is on a list, because no organisation wants to let someone else know who is coming through their doors.
Instead, subscribers regularly get a copy so they can use it to populate their own internal database that they consult. Because the schema is rather basic, I believe it is not much more complicated than a gigantic CSV, XML or JSON file, to make it easy for organisations to ingest no matter what technology they use.
So, not one copy to protect, lots. And no-one knows where all of them are.
I reckon we need to hear from the Information Commissioner's Office about this. These are personal details of identifiable living individuals and so covered by the GDPR in both the UK and the EU. Organisations holding such data must keep it securely. but because these people are known or strongly suspected of being very very naughty does not mean their data can be treated less carefully, In any case, an internationally active criminal would be very interested to know what information is held about them, particularly whether their current alias is known.
Are you kidding, the OAIC? They know we don't deserve to see behind the curtains.
Records from these datasets are only leaked occasionally, and carefully, quite selectively, when they need to target someone, or some group. Need to see how much makes it out publicly. As KYC datasets are so detailed, with financial and private contact of maximum importance to everyone in them, the ones they miss out are significant. Should the group be paid for by an Actor of significance, they'll scrape anyone they care about from the list, before they publish any records from it. This will be checked by eeryone 'in the tent', so they can gain clues about those behind it.
Should data privacy ever become part of the public narrative during a leak (rarely), they wheel out the 'We need to centralise all records to absolutely secure (eminently, who dare question this anyway)' government dept' datastores', where the only one to blame for any wrongdoing are Bots and IT bods.
The elephant in the room here is KYC and AML, requiring these records be collected, checked and verified by multiple businesses with (practically) no guidance or governance around ownership, management of data, minimum standards, best practice, and long term goals... it all just amplifies how little anyone can achieve can last until we resolve problems of Trust in an open, public, way. Centralisation of PII in insecure, obscure, government systems is a patch dressed up as latex, and has plenty of problems of its own.
But it's not just 'bad people', it's also what are known as 'Politically Exposed Persons', including such as the judges mentioned. They, for example, aren't just judges on the take, but any judge who might be a target for bribery. And whilst many may have a lower opinion of politicians as a class, for the most part, they aren't the sort that should be barred from banking just for being a politician.
> Sources speaking to The Register at the time claimed HSBC also may have closed the mosque's account because of a donation made to an unspecified Palestinian org during its 2015 war with Israel. In 2021, the mosque won a libel case against the news agency, which had to pay unspecified damages as its wrongful placement on the list caused banks to refuse to accept the mosque as a customer.
For anyone else who couldn't follow who "the news agency" was, it's Thompson Reuters, mentioned way up higher in the article.
The compilation will have more value than the sum of the parts and getting on the list likely doesn't mean that a court somewhere has looked at evidence and convicted a person on the list. Read: carp tons of politics. A news agency might keep such a list of persons where the suspicion they are naughty is valuable in the same way as law enforcement agencies, but not for sharing around. If I read the article correctly, somebody is trying to duck responsibility by claiming that the data was hacked from another source than the original file. This is one of those things where the liability shouldn't be able to be shed. A dangerous product was "shared" with their "partners" and one of those partners screwed up. If the originator is also on the hook, maybe they'll be more cautious next time or keep such things in-house and air-gapped.
Back when a certain Supreme was in the news for not seeing all expense luxury vacations as a problem a lot of normal government employees described the rules they operated under. As in if they inspected a facility they had to pay for their own coffee. Supposedly some companies kept a separate coffee machine where you could pay for it just for this purpose, even if everyone else got theirs for free.
So I suspect that the risk category is rather "politically appointed government official".
and if Russia contributes to the list, it will include all members of Jehovah's Witnesses and various other harmless folk, plus anyone who doesn't support the Special Military Operation (TM) and and and.
I hope someone at the bank actually *reads* the "why this person's on the list" field, not just summarily dismiss anyone who is.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
