It's about time any business of this nature that can't keep control of its data is sued into oblivion along with all its directors and officers.
Crooks threaten to leak 3B personal records 'stolen from background check firm'
Billions of records detailing people's personal information may soon be dumped online after being allegedly obtained from a Florida firm that handles background checks and other requests for folks' private info. A criminal gang that goes by the handle USDoD put the database up for sale for $3.5 million on an underworld forum …
COMMENTS
-
Monday 3rd June 2024 21:26 GMT Ball boy
That 'opt out link'
It should be made clear that the opt out page that Ms. Lyons linked-to in her report is only applicable to residents in California, Virginia, Colorado, Connecticut, or Utah. As I read it, the rest of the world has no rights to request data is deleted, corrected or not used for whatever purpose National Public Data see fit to put it to. Clearly, of the many that might have been 'leaked', relatively few ever had a right to opt out (IMHO it's very badly worded, has repeated clauses and poor punctuation; I stand corrected if I have somehow misinterpreted their intention).
I'm sure I can say with a fairly high level of confidence that the vast majority of, say, British people would have absolutely no idea their data might have ended up in a DB owned by National Public Data in the US. How, then, would someone go about making sure such information is redacted when they can't possibly know which organisations they need to ask?
If ever I am challenged to justify why I feel there needs to be international law supporting 'no data unless expressly opting in', this debacle and NPD's policy will form my keystone defences.
Edit: grammar corrections [Ball boy]
-
Tuesday 4th June 2024 06:53 GMT greenwood-IT
Re: That 'opt out link'
The "opt out" also doesn't work for relatives of the data subject. My details may well appear in the database without me knowledge if a relative if mine "opted in". You have the same issue with GDPR, a staff member can opt in but provide next of kin details, which is confidential data they share with you without the owners permission.
-
Tuesday 4th June 2024 06:56 GMT UnknownUnknown
Re: That 'opt out link'
Err … yes you do.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-erasure/
It’s also a huge breach of UK/EU GDPR.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/
At a glance
The UK GDPR sets out seven key principles:
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability
-
Tuesday 4th June 2024 08:59 GMT Displacement Activity
Re: That 'opt out link'
Err … yes you do.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-erasure/
It’s also a huge breach of UK/EU GDPR.
Err.. I think you might you have misundertstood. This is a tinpot information broker in Florida. It should be pretty obvious that there's nothing in US law that requires information brokers to find the country of origin of their data subjects, and then trawl through the laws of that country, and then decide whether or not they're bound by those laws. Because, of course, they're not. It should also be pretty obvious that GDPR is only relevant in very specific circumstances and places.
-
Tuesday 4th June 2024 11:41 GMT Zippy´s Sausage Factory
Re: That 'opt out link'
Where would they have obtained data legally about a British citizen without that data being transferred from an entity covered by GDPR, be it a company or a person? That extends the onus on being compliant with GDPR to them.
International law is complex, yes, but just because they don't have a presence in that country doesn't mean they aren't bound by those laws. I seem to remember Facebook used this argument a few years ago and failed with it.
-
Tuesday 4th June 2024 16:18 GMT doublelayer
Re: That 'opt out link'
There are two options:
1. You are right, they get it from a UK organization that is breaking GDPR and is liable for it. The Florida people have no requirement to identify who that UK entity is, so unless you can find out in some other way, how are you going to file a complaint?
2. They do it to UK citizens who have provided some information and collect it, with permission, from a UK company that has legitimate reasons under GDPR to process it. Then, unlike that company, they keep it and thus your objection only applies to them. Theoretically, you can still hold them liable under GDPR, but if they don't have operations in Europe, they will likely not pay a penalty.
-
-
Tuesday 4th June 2024 15:36 GMT Mike 137
Re: That 'opt out link'
"GDPR is only relevant in very specific circumstances and places"
The GDPR applies to any processing conducted anywhere if the data subject is "in the EU", i.e. present there at the time of processing. The UK GDPR applies similarly in respect of data subject presence in the UK. However, the right to erasure is not an opt-out right, as it can only be exercised after processing has begun.
-
-
Tuesday 4th June 2024 13:38 GMT Cris E
Re: That 'opt out link'
That is all predicated on each British citizen knowing that some small-time Florida data broker has their data so they can request compliance with that law. And they would need to know about all the other data brokers as well, which is not really possible since US law lets anyone gather whatever they can. The gap between Law and Enforcement in this case is pretty vast.
-
Tuesday 4th June 2024 16:45 GMT MachDiamond
Re: That 'opt out link'
"That is all predicated on each British citizen knowing that some small-time Florida data broker has their data"
It's hard to use the term "small-time" since I could put a rack in my garage and store information on millions of people as a sole trader. I'd be a firm with one employee, but with a very large database. Not only would I know a lot about many people, in this instance, it's information on a very select group of people. If the information stored in my system was only about people earning over $500,000/yr and those with a net worth over $50mn, would I still be "small-time". On the other hand, if I had information on 10x the number of people that all lived on $2,000/yr or less in depressed areas of Africa, would that be "small-time" based on the value of the data?
The issue with Big Data is there's no real liability legislation. Causing a serious injury is easy to quantify, but mangling somebody's finances and making it difficult or impossible to find employment, get insurance and rent housing can be just as bad.
-
-
-
-
-
-
Monday 3rd June 2024 22:22 GMT sitta_europea
Well (1) the crooks selling the data would use the biggest number they can, so they'd give the uncompressed size, and (2) even if it's compressed text it's *still* not a lot of data per record - to me it doesn't sound like enough to hold all the information claimed.
Seems something doesn't quite add up.
-
-
Tuesday 4th June 2024 00:18 GMT Springsmith
3B records on people who have lived in the US - not records on 3B people
3B records on people who have lived in the US - not records on 3B people
Social security number + address + dates is one record; and considerably less than 300 bytes.
Social security number + Medicare id is another record.
Social security number plus name and date of birth, yet another.
For "record" think "row in database" or possibly "row and column" and you'll be closer.
(3B people would about 2/5 of the population of the Earth - given it is over the last 30 years)
-
Tuesday 4th June 2024 11:10 GMT Doctor Syntax
Re: 3B records on people who have lived in the US - not records on 3B people
TFA also says "on all US, Canadian, and British citizens". It also says "address history going back at least three decades" and "people's parents, siblings, and relatives,"
If the first part is correct it extends well beyond people who have lived in the US to include people who have not lived in the US, and people who are long since dead. That's still a lot of people so you have to divide the 3 billion but whatever that is. You're heading to single digit numbers of records per person.
Depending just how far "at least three decades" extends address history could cover 3 addresses for myself and for SWMBO (Are they held as separate copies? If this is raw material for building associations they'd need to be.) For my children it would include one or two of those plus several others each as it would include their undergraduate and in one case post-grad and post-doc careers and their subsequent lives - quite a lot each. It all adds up.
-
Tuesday 4th June 2024 12:02 GMT Anonymous Coward
Re: 3B records on people who have lived in the US - not records on 3B people
Everyone has a degree in your family yet you fail to realize that most people have none. And I would absolutely be surprised if the majority of mid US born people ever left their county. At first they're talking about all US, UK and CA people and then they filter it to those who ever lived in the US. Whatever that means. Plenty of people have one address so the rest of the entries being additional information on an existing row is fairly reasonable for the size and amount of people (probably even if it contains almost everyone of those 3 countries)...
-
Tuesday 4th June 2024 21:58 GMT John Brown (no body)
Re: 3B records on people who have lived in the US - not records on 3B people
"If the first part is correct it extends well beyond people who have lived in the US to include people who have not lived in the US, and people who are long since dead."
I'm not so sure about the "long since dead" bit. My reading of "a Florida firm that handles background checks and other requests for folks' private info. and having been subject to background checks for various security clearances is that is the sort of long ago data collected for a current check. The data isn't 3 decades old but the data may contain recent data on recent people referring to past addresses for the last few decades. Along with all the other data collected, that's more than enough to impersonate someone in online transactions. The fact they claim to include all British citizens tells me they don't have everything on everyone, but have collected a lot of data from various sources and assembled it. Whether they have also slurped up or bought data from agencies handling security clearances and so have that much actual and correctly attributed data on individuals is another matter and rather worrying if they have. My various clearences have all been handled via commercial organisations and each one done by a different org., which is concerning in itself since they all want pretty much the same information with minor variations such that I wonder why I need so many different ones. For example, the highest grade one should, by default, clear me for most if not all of the others. But every Govt. Dept/org wants their own clearance done their way.
-
-
-
Tuesday 4th June 2024 16:50 GMT MachDiamond
"Something a bit odd here. 3B records < 300B bytes of data. That's not much data per record."
Accuracy in reporting is far less important these days than getting a headline that sounds good so people will click on it. I'd not be surprised if the information is being given orally and "reporters" are having to make quick written notes and will not have a way to verify anything later. Even press handouts are often a complete mess or break out information in ways that's easy to misquote.
-
-
Tuesday 4th June 2024 11:39 GMT Cliffwilliams44
This type of data is not being used for background checks.
For a background check you are interested in criminal history and possibly credit report.
A database that contains address history and relatives would primarily be utilized by debt collection agencies. They, IMO, have on right to that data.
-
-
Tuesday 4th June 2024 22:02 GMT John Brown (no body)
Yes, depending on what it's for, they may ask for all sorts of additional details, including the right to peruse your bank account, so along with all my personal details, at least one UK vetting agency has (or more hopefully *had*) my full bank account details too. I'd like to think they don't store all of the data, just a check box to say it's been seen, verified and deleted, but I don't know that for sure.
-
-
-
Wednesday 21st August 2024 14:39 GMT Caesarius
Problem with link in article
The link is https...www.nationalpublicdata.com...optout.html
My browser received text that included this:
"Why have I been blocked?
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data."
And then I was invited to ask why I was blocked, submitting what must be some of my personal data.
Please check whether you want to remove that link from the article.