back to article After nearly 3B personal records leak online, Florida data broker confirms it was ransacked by cyber-thieves

A Florida firm has all but confirmed that millions of people's sensitive personal info was stolen from it by cybercriminals and publicly leaked. That information, totaling billions of records, includes the names, Social Security numbers, physical and email addresses, and phone numbers of folks in the United States, UK, and …

  1. nematoad Silver badge
    Mushroom

    No!

    ...its data was stolen and shared.

    No it wasn't. It's our data that was stolen and shared.

    Instead these leeches took all the personal information about other people to turn it into a revenue stream for itself.

    If that was not bad enough they were then so careless that a third party got into their systems and took millions of people's personal records.

    Let's get out the tar and feathers and run these parasites out on town on a rail.

    1. diodesign (Written by Reg staff) Silver badge

      Well, yeah

      I get what you're saying but I also want to make clear it was NPD's responsibility to secure that information. It wasn't just that your data was taken, your data in NPD's charge was stolen -- that's how it should be read.

      C.

      1. Bendacious Silver badge
        Happy

        Re: Well, yeah

        Completely off-topic but I love the fact that Chris Williams hasn't given himself a gold badge. It might be that he thinks these badges are pointless. I like to think that he doesn't feel that he's earned one yet and it motivates him to get out of bed in the morning, striving to be good enough for gold.

        1. druck Silver badge

          Re: Well, yeah

          I think it's more down to not spending every waking minute posting comments.

          1. Bendacious Silver badge

            Re: Well, yeah

            Gold badges aren't for posting comments. They are for outstanding contribution, as judged by Chris. He has clearly judged himself as not yet deserving of one.

            https://www.theregister.com/2012/03/23/el_reg_forums_faq/

            1. Anonymous Coward
              Anonymous Coward

              Re: Well, yeah

              And yet, some of us take the badges for the compliment and thanks they are, but do not rely on then to validate our comments.

              Yes, I is one, and no, not going to tell you why I'm one of them :).

              1. Dimmer Silver badge

                Re: Well, yeah

                I had one and I was booted for someone that was more informed than I. (And has better grammar)

                Thanks for the time I borrowed it and I am thrilled those guys are recognized for their quality contributions.

      2. Michael Wojcik Silver badge

        Re: Well, yeah

        your data in NPD's charge was stolen

        Well, yes; but most of this stuff in fact is public data (as NPD's name implies), scrounged from public records. So while it's "our" data, most of it is also everyone's data. What's been stolen really is NPD's agglomeration and curation of data (which, based on Hunt's analysis, was kind of crap, though that doesn't mean it's not concerning).

  2. IGotOut Silver badge

    And the consequences for the firm

    ... probably a fine totalling a week's profits.

    Even if they go bust, the directors will start another company with a few hundred million in start up funding and off they go again.

    1. John Brown (no body) Silver badge
      Mushroom

      Re: And the consequences for the firm

      And look how long it took them to finally admit it. Long after they knew and even *after* some "privacy protection" services had already started notifying victims.

      It REALLY is about time the US caught up to the EU and passed a law forcing these companies to move much faster in admitted the leaks and informing people. And it should be a Federal law, screw State sovereignty, this is affecting people across the country and the world.

    2. Michael Wojcik Silver badge

      Re: And the consequences for the firm

      There aren't any "directors". This appears to be a single-person operation, run by a retired sheriff's deputy (and occasional actor). Krebs has the details.

      Just one guy, compiling data from public records. There are a whole bunch of these outfits. Go ahead and punish this one, sure; but it won't change the overall situation a whit.

  3. An_Old_Dog Silver badge

    Company Name

    Your data is "national public data", now.

    1. Anonymous Coward
      Anonymous Coward

      Re: Company Name

      We'll return you to your scheduled exfiltration momentarily. But, first, here's an elderly actor to explain why we need your financial support to continue providing these vital services.

    2. The Man Who Fell To Earth Silver badge
      FAIL

      "Florida Data Broker"

      Just reinforces the notion that everything in Florida is Broken. And/or sleazy. Which it is. I lived there once upon a time.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Florida Data Broker"

        Is that why Trump moved there?

  4. sanmigueelbeer
    Coat

    Inconsistencies in the law?

    My personal information is private and confidential. If my PII is leaked into the whole wide world, nothing happens to the actor(s) who broke in, exfiltrated and posted my details.

    However, if someone leaks classified &/or confidential documents to the whole wide world, it is "full force of the law" will bear down on you.

    1. Jellied Eel Silver badge

      Re: Inconsistencies in the law?

      My personal information is private and confidential.

      You'd like to think that, but obviously it isn't, because NPD slurped it and resold it. Your private & confidential data is National Public Data. Who then lost it. Which probably means more data rapists will have grabbed that data and added it to their own databases.

      If my PII is leaked into the whole wide world, nothing happens to the actor(s) who broke in, exfiltrated and posted my details.

      If the hackers can be identified, they'll probably be prosecuted. But that's cold comfort to anyone who's private & confidential data were part of the 3bn records now floating out in the wild.

      1. Michael Wojcik Silver badge

        Re: Inconsistencies in the law?

        You'd like to think that, but obviously it isn't, because NPD slurped it and resold it.

        Yes. This was not "private and confidential" data. It was public information that NPD compiled. What's really been exposed here is not the specific pieces of information, but the whole compilation. (And, if you read Troy's analysis, it's rather a mess; but that doesn't mean it's not still useful.)

        I'm not saying this isn't a breach, or that people shouldn't be angry, or that we wouldn't be better off without bottom-feeders like Verini (the owner, and quite possibly the entire staff, of NPD). But the issue here isn't that the secret information of millions of people has been peddled by USDoD and a big chunk of it exposed to anyone who goes looking — that information was already available. The problem is that too much information is public; it's too easy for firms like NPD to gather, package, and resell it; and those firms generally have shit security.

  5. Anonymous Coward
    Anonymous Coward

    There's but one solution that will work.

    Anyone on the Board of a company acquiring PII and subsequently leaking it either through insufficient protection, stupidity or malice should not only be made responsible for the consequences of every user so exposed, but also be required to put their own matching set public for a year - same details and depth of information, and kept 100% up to date for a year or face a 5 year mandatory stint in a non-white collar jail.

    There is no valid reason why they should suffer any less than the victims they so made - a fine is not going to ensure more correct behaviour.

    And yes, I know their data will be copied to every crook on the planet - that too is identical to what happens to these victims who now may be subject to a lot more scams than they are already exposed to.

    Any less and this will just keep happening.

    1. Like a badger

      Re: There's but one solution that will work.

      I've suggested it before, but part of the problem is that regulators define punishment as financial penalties. Those aren't paid by those whose actions caused or allowed bad things to happen, and as a result nobody cares.

      If the CEO, CFO and CTO of these breach-permitting corporations had to wear a hat inscribed "Mr Bum Head" for every waking hour for an entire month, and with official photos mandate, then THAT would hurt them personally. Initially they'd all say "won't happen to me", but after a few twerps like NPD's c-suite had been pictured and laughed at, that really would start to concentrate minds.

      1. John Brown (no body) Silver badge

        Re: There's but one solution that will work.

        Maybe that could be done on HaveIBeenPwned? Photos should be easy enough to track down and photo editing s/w has been around for quite a while now. If there's any doubt over the face in the photo, then just publish the names, companies and position held of the board members.

        WallOfShame.com is available, but is being held by a cybersquatter as "for sale" at the moment.

        1. Michael Wojcik Silver badge

          Re: There's but one solution that will work.

          That would rather dilute HIBP's mission, and make it less palatable to the many government agencies and corporations which use it for things like breach notification and password evaluations — very important functions. And I think Troy has enough on his plate.

      2. I am the liquor

        Re: There's but one solution that will work.

        I think corporate fines could be made to work, if the execs were forced to wear a sign saying "My incompetence cost my company $10,000,000" at all times.

        1. Anonymous Coward
          Anonymous Coward

          Re: There's but one solution that will work.

          I can see a whole new start to The Simpsons here..

          :)

        2. Michael Wojcik Silver badge

          Re: There's but one solution that will work.

          I think it's adorable how much faith some people put in public shaming.

          Sure, in The Mayor of Casterbridge Lucetta is killed by a skimmington, but that's a novel, you guys. It's not real.

          The wealthy are more than capable of turning your shaming devices into badges of honor among their small set.

          1. I am the liquor

            Re: There's but one solution that will work.

            In their "small set", who cares. When they're standing in front of the shareholders at the AGM asking them to vote on the executive bonus package, is when a timely reminder of their activities would be more useful.

    2. claimed Silver badge

      Re: There's but one solution that will work.

      I don’t know if this works, it feels so much like we’ve shown that this “secret passcode” being the way to interact with service providers is a shit system.

      Back in the day, you lived in a village, and everybody knew everybody’s name/where they lived etc

      Can we construct a system that allows us to validate identity, and therefore entitlement to service, when all PII is essentially public? Without this, I think it’s chicken and egg trying to hide PII and it inevitably leaking through one avenue or another…

      You need to be able to prove you are who you say you are when presenting yourself (MFA is pretty good for this), and you need to be able to demonstrate entitlement to service, so either the provider needs a record, or you need to posses some redeemable token that was acquired earlier.

      I don’t think it’s convenient, but I don’t see how we do this without some kind of Account system, which seems like a great way to lock people out and create a new class hierarchy, so I don’t like it either.

      I think the security adage that obscurity isn’t protection needs to apply, but I don’t think an account assigned at birth is great either, how would you configure MFA for a child, or if you lose your possessions in a house fire. I am *not* advocating for DNA tests but it seems there isn’t another way right now to move away from these secrets… I’m sure DNA tests could be faked under the right conditions.

      It seems our choices are either this mess, or 1984… any other ideas?

      1. Michael Wojcik Silver badge

        Re: There's but one solution that will work.

        By definition, if all information is available to all parties, then no party can prove it holds secret information.

        There are schemes that can make more efficient use of partly-secret information (i.e. any given piece is only available to a proper subset of parties, and those subsets are not all identical), such as identity-based encryption (IBE) schemes, initially proposed by Shamir. Those raise the work factor for impersonation.

        However, proof-of-identity1 schemes are expensive to build and deploy. Good ones are confusing for users. Often they fail to handle common use cases, such as delegation and legal, opaque changes of identifying information (consider e.g. witness protection); and often they have horrible failure modes, where incorrect data leads to long and painful attempts by the victim to reestablish "identity" under the system.

        And strong identity systems lend themselves to surveillance and totalitarianism.

        1Which really means "probabilistic ways to increase confidence in distinguishing a set of communications purportedly from one actor from those of other actors", or something along those lines. You can't "prove" identity; for one thing, we don't have a good definition of identity in the first place.

    3. Michael Wojcik Silver badge

      Re: There's but one solution that will work.

      Jericho Pictures ("National Public Data" is just a dba) has a grand total of four officers. It's basically Verini's personal operation. Yeah, with a substantial change to the law we could make it possible for prosecutors to pierce the corporate veil for a case like this, but I suspect even successful prosecutions of four or five extremely minor-league players would have absolutely no chilling effect on others.

      It's not like similar major blunders by large, established firms have had any lasting consequences. Remember Equihax? Yes, in that case eventually the CEO and CISO were replaced, and Ying and Bonthu pleaded guilty to insider trading and received some fairly minor punishment. But bills to make the credit-reporting agencies — just them, not "any data broker" — responsible for breaches were killed by Congress.

  6. Tishers

    We need to develop penalties for companies such as this one who fail to have proper safeguards in place for user data.

    Not a financial penalty but prison sentences for corporate officers.

    1. Anonymous Coward
      Anonymous Coward

      I'd actually say:

      We need to develop penalties for companies such as this one who refuse to put proper safeguards in place for user data.

      Everyone is at risk of losing data - because we have no way of knowing what vulnerabilities are out there and actively exploited until they are discovered and reported. But I agree that there should be penalties for negligence. Especially if it's as a result of a C-Suite cost-saving exercise.

  7. Persona Silver badge

    Public Domain

    With nearly 3 billion leaked the chances are that details on all of us are there. On the plus side we don't need to worry excessively about privacy anymore as now it's all public.

  8. John Brown (no body) Silver badge

    At least there's some clarification

    At least there's some clarification of who may be affected now thanks to "covers people living in the United States, some of whom will be, say, British and Canadian,"

    The original story strongly implied it was pretty much every US, UK, EU and Canadian citizen likely to be included. Not that that's any consolation to the victims, but at least a billion or so of us can now rest easy for a few seconds until the next breach.

    Having said that, if 3 billion records "only" covers people resident in the USA over some time period, there must be an enormous amount of duplication or unlinked records in the trove.

    1. Michael Wojcik Silver badge

      Re: At least there's some clarification

      See Troy's analysis. The initial reports (based on claims by the leaker) were rubbish, confusing the number of database rows with the number of affected people. The data is also full of errors, apparently.

  9. martinusher Silver badge

    As usual the big question is unstated

    The crime is that a bunch of hackers broke into a data broker and stole information on millions of us. At least that's what the article says and everyone repeats. It implies, though, that a data broker offering our data for sale is perfectly legitimate but a different group who now may well be offering the identical data for sale is not.

    Personally I can't tell the difference between the two. If the hacking group 'stole' the information from the broker instead of just buying (or more likely, hiring) it from the broker they presumably would be some kind of legitimate outfit doing the things legitimate outfits do (which is to bother the hell out of us with meaningless marketing garbage). Since they stole what was effectively stolen property anyway we're supposed to believe that they're the Epitome of Evil.

    1. Michael Wojcik Silver badge

      Re: As usual the big question is unstated

      It's simple, really. The Good Guys charge you per query. The Bad Guys offer to sell you the whole data set.

  10. chivo243 Silver badge
    WTF?

    it's a mess

    The social security number was misused, abused if you will. It was never supposed to be your Employee ID or your Student ID, which I know it was at various places since at least the early 70's... The social security card can't be used by you for identification purposes, but the number can identify you.

    1. Michael Wojcik Silver badge

      Re: it's a mess

      This is a myth. The "not to be used" notice was dropped from Social Security cards decades ago. The SSA has a "history of the Social Security card" page on their site which goes into the details.

      1. chivo243 Silver badge
        Trollface

        Re: it's a mess

        My card from the 70's still says it... it must be true.

  11. cFortC

    SSN and DOB must be downgraded for online security purposes

    For some time now, knowledge of SSN and DOB no longer qualify to securely identify someone, especially (but not exclusively) on the internet.

    All financial, health, phone and internet service providers, and any other entity who thought these items were valid to identify a client, should stop ASAP. Although less than perfect, such vetted ID services as ID.me must be utilized, at a minimum, for a more secure form of client identification.

    This includes the consumer credit reporting agencies. This means that just SSN cannot be sufficient to run a credit check or open a line of credit. Also, last time I tried it, aside from SSN and DOB, I only had to answer (or guess) a handful of easily researched questions about past addresses, car loans, etc. to gain access to my complete credit report.

    1. martinusher Silver badge

      Re: SSN and DOB must be downgraded for online security purposes

      Medicare replaced the SSN with another identifier years ago. Its possible.

      The SSN was never intended as an ID number -- it says so on the card -- but that doesn't stop banks and other organizations using it. When they get scammed they act all innocent and assume its our fault, expecting us to pay up and clean up the mess.

      1. cFortC

        Re: SSN and DOB must be downgraded for online security purposes

        Yes, the fact that they were forced to change Medicare ID numbers just emphases the widespread availability of SSN's -- real short-term money and medical privacy was at risk and the authorities acted appropriately for once.

        Which leads to the idea that raw SSN be returned for use only as your retirement account number. For any other use, the SSN holder would go online to their SSN account and generate a single-use token string to hand over. The token could be one-time as for a credit check, or open-ended but bound to the digital ID of the employer or financial institution that requested it.

      2. Michael Wojcik Silver badge

        Re: SSN and DOB must be downgraded for online security purposes

        it says so on the card

        It used to say so on the card, but 1) that was never enshrined in law, and 2) that notice was dropped from the cards decades ago. This "not for identification" thing is a widely-debunked myth. People need to stop repeating it; it adds no value to the discussion.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like