back to article Crooks threaten to leak 3B personal records 'stolen from background check firm'

Billions of records detailing people's personal information may soon be dumped online after being allegedly obtained from a Florida firm that handles background checks and other requests for folks' private info. A criminal gang that goes by the handle USDoD put the database up for sale for $3.5 million on an underworld forum …

  1. Doctor Syntax Silver badge

    It's about time any business of this nature that can't keep control of its data is sued into oblivion along with all its directors and officers.

    1. Caver_Dave Silver badge

      And directors and officers facing jail time and financial ruin for their mistakes. The are paid mega-bucks for taking the responsibility, now make them pay!

    2. TheBruce

      Problem is these companies are probably owned by a chain of several LLCs all of them holding basically no assets. So the actual wealth is untouchable.

      1. Doctor Syntax Silver badge

        The companies maybe untouchable. Their directors and officers would be - and in the scenario you describe, make it that way all the way up the chain althoug, of course, there may well be an overlap of personnel.

    3. ecofeco Silver badge
      FAIL

      Sued?

      Jail would be better. Nobody asked them to keep our personal data. They literally took it without our permission (duress is not permission) and then had it stolen by someone else.

  2. Ball boy Silver badge

    That 'opt out link'

    It should be made clear that the opt out page that Ms. Lyons linked-to in her report is only applicable to residents in California, Virginia, Colorado, Connecticut, or Utah. As I read it, the rest of the world has no rights to request data is deleted, corrected or not used for whatever purpose National Public Data see fit to put it to. Clearly, of the many that might have been 'leaked', relatively few ever had a right to opt out (IMHO it's very badly worded, has repeated clauses and poor punctuation; I stand corrected if I have somehow misinterpreted their intention).

    I'm sure I can say with a fairly high level of confidence that the vast majority of, say, British people would have absolutely no idea their data might have ended up in a DB owned by National Public Data in the US. How, then, would someone go about making sure such information is redacted when they can't possibly know which organisations they need to ask?

    If ever I am challenged to justify why I feel there needs to be international law supporting 'no data unless expressly opting in', this debacle and NPD's policy will form my keystone defences.

    Edit: grammar corrections [Ball boy]

    1. greenwood-IT

      Re: That 'opt out link'

      The "opt out" also doesn't work for relatives of the data subject. My details may well appear in the database without me knowledge if a relative if mine "opted in". You have the same issue with GDPR, a staff member can opt in but provide next of kin details, which is confidential data they share with you without the owners permission.

    2. UnknownUnknown

      Re: That 'opt out link'

      Err … yes you do.

      https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-erasure/

      It’s also a huge breach of UK/EU GDPR.

      https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/

      At a glance

      The UK GDPR sets out seven key principles:

      Lawfulness, fairness and transparency

      Purpose limitation

      Data minimisation

      Accuracy

      Storage limitation

      Integrity and confidentiality (security)

      Accountability

      1. Displacement Activity

        Re: That 'opt out link'

        Err … yes you do.

        https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-erasure/

        It’s also a huge breach of UK/EU GDPR.

        Err.. I think you might you have misundertstood. This is a tinpot information broker in Florida. It should be pretty obvious that there's nothing in US law that requires information brokers to find the country of origin of their data subjects, and then trawl through the laws of that country, and then decide whether or not they're bound by those laws. Because, of course, they're not. It should also be pretty obvious that GDPR is only relevant in very specific circumstances and places.

        1. Zippy´s Sausage Factory

          Re: That 'opt out link'

          Where would they have obtained data legally about a British citizen without that data being transferred from an entity covered by GDPR, be it a company or a person? That extends the onus on being compliant with GDPR to them.

          International law is complex, yes, but just because they don't have a presence in that country doesn't mean they aren't bound by those laws. I seem to remember Facebook used this argument a few years ago and failed with it.

          1. doublelayer Silver badge

            Re: That 'opt out link'

            There are two options:

            1. You are right, they get it from a UK organization that is breaking GDPR and is liable for it. The Florida people have no requirement to identify who that UK entity is, so unless you can find out in some other way, how are you going to file a complaint?

            2. They do it to UK citizens who have provided some information and collect it, with permission, from a UK company that has legitimate reasons under GDPR to process it. Then, unlike that company, they keep it and thus your objection only applies to them. Theoretically, you can still hold them liable under GDPR, but if they don't have operations in Europe, they will likely not pay a penalty.

        2. Mike 137 Silver badge

          Re: That 'opt out link'

          "GDPR is only relevant in very specific circumstances and places"

          The GDPR applies to any processing conducted anywhere if the data subject is "in the EU", i.e. present there at the time of processing. The UK GDPR applies similarly in respect of data subject presence in the UK. However, the right to erasure is not an opt-out right, as it can only be exercised after processing has begun.

      2. Cris E

        Re: That 'opt out link'

        That is all predicated on each British citizen knowing that some small-time Florida data broker has their data so they can request compliance with that law. And they would need to know about all the other data brokers as well, which is not really possible since US law lets anyone gather whatever they can. The gap between Law and Enforcement in this case is pretty vast.

        1. MachDiamond Silver badge

          Re: That 'opt out link'

          "That is all predicated on each British citizen knowing that some small-time Florida data broker has their data"

          It's hard to use the term "small-time" since I could put a rack in my garage and store information on millions of people as a sole trader. I'd be a firm with one employee, but with a very large database. Not only would I know a lot about many people, in this instance, it's information on a very select group of people. If the information stored in my system was only about people earning over $500,000/yr and those with a net worth over $50mn, would I still be "small-time". On the other hand, if I had information on 10x the number of people that all lived on $2,000/yr or less in depressed areas of Africa, would that be "small-time" based on the value of the data?

          The issue with Big Data is there's no real liability legislation. Causing a serious injury is easy to quantify, but mangling somebody's finances and making it difficult or impossible to find employment, get insurance and rent housing can be just as bad.

    3. ecofeco Silver badge

      Re: That 'opt out link'

      Background checks in the U.S. are often for employment purposes. You cannot opt out of those.

  3. Pascal Monett Silver badge
    Windows

    277.1GB from a "small" information broker

    I shudder to think of how many "small" brokers there are, and how much data the big brokers have . . .

    1. ecofeco Silver badge

      Re: 277.1GB from a "small" information broker

      All of it. They have all of it.

  4. Doctor Syntax Silver badge

    Something a bit odd here. 3B records < 300B bytes of data. That's not much data per record.

    1. Anonymous Coward
      Anonymous Coward

      "3B records < 300B bytes of data"

      I would *assume* [yes ... I know the risks] the file is compressed ... Textual data takes up a lot of space until compressed !!!

      :)

      1. sitta_europea Silver badge

        Well (1) the crooks selling the data would use the biggest number they can, so they'd give the uncompressed size, and (2) even if it's compressed text it's *still* not a lot of data per record - to me it doesn't sound like enough to hold all the information claimed.

        Seems something doesn't quite add up.

    2. Springsmith

      3B records on people who have lived in the US - not records on 3B people

      3B records on people who have lived in the US - not records on 3B people

      Social security number + address + dates is one record; and considerably less than 300 bytes.

      Social security number + Medicare id is another record.

      Social security number plus name and date of birth, yet another.

      For "record" think "row in database" or possibly "row and column" and you'll be closer.

      (3B people would about 2/5 of the population of the Earth - given it is over the last 30 years)

      1. Doctor Syntax Silver badge

        Re: 3B records on people who have lived in the US - not records on 3B people

        TFA also says "on all US, Canadian, and British citizens". It also says "address history going back at least three decades" and "people's parents, siblings, and relatives,"

        If the first part is correct it extends well beyond people who have lived in the US to include people who have not lived in the US, and people who are long since dead. That's still a lot of people so you have to divide the 3 billion but whatever that is. You're heading to single digit numbers of records per person.

        Depending just how far "at least three decades" extends address history could cover 3 addresses for myself and for SWMBO (Are they held as separate copies? If this is raw material for building associations they'd need to be.) For my children it would include one or two of those plus several others each as it would include their undergraduate and in one case post-grad and post-doc careers and their subsequent lives - quite a lot each. It all adds up.

        1. Anonymous Coward
          Anonymous Coward

          Re: 3B records on people who have lived in the US - not records on 3B people

          Everyone has a degree in your family yet you fail to realize that most people have none. And I would absolutely be surprised if the majority of mid US born people ever left their county. At first they're talking about all US, UK and CA people and then they filter it to those who ever lived in the US. Whatever that means. Plenty of people have one address so the rest of the entries being additional information on an existing row is fairly reasonable for the size and amount of people (probably even if it contains almost everyone of those 3 countries)...

        2. John Brown (no body) Silver badge

          Re: 3B records on people who have lived in the US - not records on 3B people

          "If the first part is correct it extends well beyond people who have lived in the US to include people who have not lived in the US, and people who are long since dead."

          I'm not so sure about the "long since dead" bit. My reading of "a Florida firm that handles background checks and other requests for folks' private info. and having been subject to background checks for various security clearances is that is the sort of long ago data collected for a current check. The data isn't 3 decades old but the data may contain recent data on recent people referring to past addresses for the last few decades. Along with all the other data collected, that's more than enough to impersonate someone in online transactions. The fact they claim to include all British citizens tells me they don't have everything on everyone, but have collected a lot of data from various sources and assembled it. Whether they have also slurped up or bought data from agencies handling security clearances and so have that much actual and correctly attributed data on individuals is another matter and rather worrying if they have. My various clearences have all been handled via commercial organisations and each one done by a different org., which is concerning in itself since they all want pretty much the same information with minor variations such that I wonder why I need so many different ones. For example, the highest grade one should, by default, clear me for most if not all of the others. But every Govt. Dept/org wants their own clearance done their way.

    3. MachDiamond Silver badge

      "Something a bit odd here. 3B records < 300B bytes of data. That's not much data per record."

      Accuracy in reporting is far less important these days than getting a headline that sounds good so people will click on it. I'd not be surprised if the information is being given orally and "reporters" are having to make quick written notes and will not have a way to verify anything later. Even press handouts are often a complete mess or break out information in ways that's easy to misquote.

  5. flayman

    Oops, I forgot to opt out of having my private data that I didn't even know was collected being stolen by criminal gangs.

    1. Cris E

      Oh come now, they aren't all criminal gangs. In fact they are entrepreneurs so it's significantly worse.

  6. Cliffwilliams44 Silver badge

    This type of data is not being used for background checks.

    For a background check you are interested in criminal history and possibly credit report.

    A database that contains address history and relatives would primarily be utilized by debt collection agencies. They, IMO, have on right to that data.

    1. Twilight

      Incorrect. Background checks regularly include address history and other things that you wouldn't expect (though it's been a few years since my last so I don't remember exactly what else anymore).

      1. John Brown (no body) Silver badge

        Yes, depending on what it's for, they may ask for all sorts of additional details, including the right to peruse your bank account, so along with all my personal details, at least one UK vetting agency has (or more hopefully *had*) my full bank account details too. I'd like to think they don't store all of the data, just a check box to say it's been seen, verified and deleted, but I don't know that for sure.

  7. Anonymous Coward
    Anonymous Coward

    I've been a fan of data removal services for a while

    I'm using Optery, and it helps by removing my data from brokers. It’s given me some peace of mind knowing my information is more secure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like