back to article Why is a 22GB database containing 56 million US folks' personal details sitting on the open internet using a Chinese IP address? Seriously, why?

A database containing the personal details of 56.25m US residents – from names and home addresses to phone numbers and ages – has been found on the public internet, served from a computer with a Chinese IP address, bizarrely enough. The information silo appears to have been obtained somehow from Florida-based CheckPeople.com, …

  1. EVP

    CheckMate

    Companies just won’t start taking privacy, safety and security seriously unless there are _serious_ consequences when they fcuck up badly enough.

    Great power, i.e. ability to damage customers and chance to make big money to the company, should come with great responsibility. Fines should make such a dent in profits that shareholders would make sure that everything is done right. Similarly, CEOs and other persons in power should face harsh enough punishments, otherwise most of them won’t give a rats ass about privacy and stuff. Nowadays, it’s a wrist slap to the company and a golden jet pack to the CEO.

    In my view it is a privilege to be able to own a business, run it and make money. We should not allow greedy, stupid and incompetent people to taint that great privilege.

    Checkmate, CheckPeople.

    1. Anonymous Coward
      Anonymous Coward

      Re: CheckMate

      Late capitalism laughs at your quaint views of privacy or justice.

      1. Anonymous Coward
        Anonymous Coward

        Re: late capitalists

        "Late capitalism laughs at your quaint views of privacy or justice."

        Would that be the same late capitalists that used to think routine testing of cosmetics etc on animals was a legitimate part of their business operations?

        Did anything change their business operations? If so, what changed it, and what makes today's capitalists think it won't happen again?

        1. SWCD

          Re: late capitalists

          "....routine testing of cosmetics etc on animals was a legitimate part of their business operations?...."

          The cosmetics MAY have stopped, the etc almost certainly hasn't - to the tune of millions of operations per year in the UK. It's likely animals are abused just as much as they ever were just <whisper>folk know to keep it quiet now!</whisper>.

          1. RegGuy1 Silver badge

            Re: late capitalists

            Maybe combine the two -- you fuck up on data privacy and we'll test our cosmetics on your CEO.

            1. Phil W

              Re: late capitalists

              "you fuck up on data privacy and we'll test our cosmetics on your CEO"

              ......are you trying to encourage the coalface workers to leak people's data?

              1. Anonymous Coward
                Anonymous Coward

                Re: late capitalists

                ... *blink * You mean you aren't?

            2. spold Silver badge

              Re: late capitalists

              Why does lipstick on a pig come to mind...?

            3. Mephistro
              Devil

              Re: late capitalists

              "...and we'll test our cosmetics on your CEO."

              Please make sure to test those experimental products made of chilli extracts!

          2. Drew Scriver

            Re: late capitalists

            Sure - companies keep at their abuse. But consumers keep buying their wares.

            Once consumers start to really care the problem will magically go away. That's how capitalism works.

            hy·poc·ri·sy

            /həˈpäkrəsē/

            noun

            The practice of claiming to have moral standards or beliefs to which one's own behavior does not conform; pretense.

            1. VulcanV5

              Re: late capitalists

              @ Drew Scriver: "Companies keep at their abuse. But consumers keep buying their wares".

              Dumbed-down consumers, that is. Of whom there are many millions, all served by dumbed-down or corrupt media.

              I well remember the gushing reviews for the newly updated Volkswagen Passat that appeared in motoring magazines and on motor review websites not long after the Volkswagen emissions scam was exposed.

              A friend of mine bought a new Volkswagen Polo around that time. When I asked him if the emissions scandal bothered him, he said 'no: all the manufacturers are probably at it. So what can we do about it? Answer: nothing."

              I hope his fcucking Polo has cost him a mint. (Here in the UK).

              1. imanidiot Silver badge

                Re: late capitalists

                Knowing the average service requirements of a VAG product, that Polo probably HAS cost him a mint

                1. Anonymous Coward
                  Anonymous Coward

                  Re: late capitalists

                  VAG includes Audi, VW, Skoda, Seat, Porshe and others, all of which are highly valued by UK buyers. You obviously don't.

                  Is your point that other people have different views to you and therefore they are wrong?

                  1. fidodogbreath

                    Re: late capitalists

                    Is your point that other people have different views to you and therefore they are wrong?

                    I think the point was that VAG products are expensive to maintain. Not sure how you missed that.

                  2. Anonymous Coward
                    Anonymous Coward

                    Re: late capitalists

                    I didn't. But thanks for the passive aggressiveness.

                    People are happy to pay those costs because they value the product.

                    Why do you have to criticise them because they value different things to you?

                    1. ds6 Silver badge
                      Megaphone

                      Re: late capitalists

                      Just because people don't mind paying exorbitant prices doesn't mean they are not paying exorbitant prices. The guy stated that service costs are high and made no attempt to attack anyone that owns one, nor was it implied. You are pushing a false agenda.

                      I want to try assuming intent too: It sounds like you are in the group of people that own one of these vehicles and feel the need to vehemently defend yourself over any percieved criticisms in order to validate your expensive purchase. Wow, that was fun!

                  3. This post has been deleted by its author

                    1. Loyal Commenter Silver badge

                      Re: late capitalists

                      Audi: One set of indicator lights for sale, never used.

                  4. imanidiot Silver badge

                    Re: late capitalists

                    Read up on the (systematic) issues on VAG cars. Thinks like the TFSI engine, window regulators, door handles, certain buttons, etc. It's fine if people like the cars, I don't fault anyone for that, but it's known some VAG products have quality issues that can become quite expensive very fast. And because many of those parts are shared between all those brands, it affects all those brands just as much. For the first owner many of these problems are merely an invonvenience because it's all covered under waranty, but it can get expensive for second or third (etc) owners. Talk to a VAG mechanic if you don't believe me.

                    1. ds6 Silver badge
                      Paris Hilton

                      Re: late capitalists

                      Talk to a VAG mechanic if you don't believe me.

                      A gynecologist?

              2. Anonymous Coward
                Anonymous Coward

                Re: late capitalists

                @VulcanV5

                Great "friend" you are, wishing ill on your mate.

                1. Kiwi
                  Pint

                  Re: late capitalists

                  Great "friend" you are, wishing ill on your mate.

                  For the most part I agree.

                  However, sometimes there's things where "I told you so. Serves you right!" are quite apt. Not sure if it applies to VW (no real experience of them), but I did have a friend seek my advice on a "status car" where the brand had once been top quality but now was garbage. I told him to avoid it, his family told him to avoid it, and several owners told him to avoid the brand but for much of his life he'd viewed this brand as a status symbol and had his chance to own one. Surely the rest of us (including those with direct experience) couldn't be wrong!

                  He got an expensive pile of crap that had all sorts of weird (and well documented) failures, breakages, and massive shortages of spare parts for things that aren't normally replaced in the life of other brand's cars. He was warned, he ignored us, we all felt he got what he deserved. When he came to me for help fixing it I reminded him I'd already told him I wanted no part of in.

                  We're still good friends. He's a bit older and a lot wiser when it comes to checking out cars before buying :)

            2. O RLY

              Re: late capitalists

              I have always despised the word "consumer" as it is used in the modern parlance. It seems vaguely pejorative, as though the masses of people are bleating livestock wallowing in line for feed before their inevitable trip to the abattoir.

              Cynically, that's probably exactly how marketing bods view us, except instead of slaughtered, we're sheared of the contents of our wallets.

              1. JohnFen

                Re: late capitalists

                I agree, but sometimes I use the term anyway for clarity.

                For instance, when a company is trafficking in personal data belonging to the general public, calling the the general public "customers" is incorrect -- those people are not the customers of the company. Saying "general public" would work, but is a bit clumsy, and everyone understand that "consumer" is a synonym for that.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: late capitalists

                  But with that definition, the general public are all taken to be consumers ie implying everyone, when actually customers are the only ones that are relevant.

              2. Anonymous Coward
                Anonymous Coward

                Re: late capitalists

                @O RLY

                Well done - the penny drops.

                For many people, being a consumer is a hobby.

              3. Anonymous Coward
                Anonymous Coward

                Re: late capitalists

                > "we're sheared of the contents of our wallets."

                Blame it on Bruce!

                "Bruce here teaches classical philosophy, Bruce there teaches Haegelian philosophy, and Bruce here teaches logical positivism, and is also in charge of the sheep dip."

            3. anonanonanon

              Re: late capitalists

              That doesn't really hold up, at all.

              Take this article, DB with millions of peoples info in it, Did they buy from checkpeople?

              No.

              But someone else is, not the subjects of the data breach, it's valuable to someone else.

              Even if the subjects of the data brach did somehow fund the owners of the DB, saying you won't buy after the fact that the data breach has happened won't get them their privacy back will it?

              Sim-plisk

              treating complex issues and problems as if they were much simpler than they really are.

              1. Loyal Commenter Silver badge

                Re: late capitalists

                This is a good example of why "the market" isn't some golden panacea for all the world's woes, and how some things need to be legislated for.

                In the US, personal data is owned by the person, or more likely company, that has collected it, and the subjects have little to no rights over it. There may be some state laws that tighten things up a bit in places like California, but I doubt these really give people decent rights over their own data. This is the reality of the "free market".

                In the EU (of which the UK is still just a part), there are strong protections over the colelction and processing of personal data (under GDPR, and prior to that, to a lesser extent, under the DPA in the UK). People have a right to know what data is colelcted about them, and for what purpose, and for most purposes, clear informed consent is required.

                If the data in question had been leaked from a business based in the EU, they would be facing a fine of up to 4% of global annual turnover. In the US, they probably haven't even done anything "wrong". I think a few more of these scandals, and the US will eventually move towards legislating the "market" in personal data, but I'm willing to bet that the protections for citizens there will never be as strong as they are in the EU. Remind me again why so many people seem so keen to run into the welcoming arms of our transataltic cousins, as a subordinate, in preference to those of the EU, as an equal (or even preferred) partner?

            4. JohnFen

              Re: late capitalists

              "Sure - companies keep at their abuse. But consumers keep buying their wares."

              With a lot of companies, including most companies that make money by exploiting personal data (such as CheckPeople), consumers are not their customers in the first place. You and I have no market leverage over their behavior at all.

              1. Anonymous Coward
                Anonymous Coward

                Re: market forces, political processes

                "With a lot of companies [Jo/Joe Public has] no market leverage over their behavior at all."

                Exactly. How does JoJoe Public express their dissatisfaction with (e.g.) Crapita? Or with ATOS?

                "Market forces" don't work in lots of places where perhaps they should; the days when a lawful public boycott allegedly contributed to e.g, changes in apartheid-era South Africa are long gone.

                Now, back to how "testing on animals" became a Bad Thing. At least in the UK, it wasn't initially via politicians, or lawful protest groups. And that's the point I was trying (apparently failing) to make.

                It wasn't market forces or the legacy political process or even peaceful lawful civil disobedience that really changed things. In this instance it was, in part at least, direct action (sometimes of dubious legality) by animal rights activists against players directly or indirectly involved in alleged animal cruelty, e.g. ferry companies involved in live animal exports. And more specifically and maybe more understandably, direct action against the companies doing the animal testing, and their employees and management and associates.

                Huntingdon Life Sciences (now inevitably renamed) for example was central to those activities.

                Maybe the UK's Poll Tax riots would have been a better example of where direct action outside the usual political process caused Our Glorious Leaders to promise change and to an extent something was delivered, but that example didn't come to mind at the time of my earlier post. Sorry about that. And the effect in that example has largely been lost anyway; Heseltine's actions in Liverpool have been superceded by the Northern Poorhouse for the foreseeable future.

                Other alternative campaigners to mention might have included the early incarnations of Farmers For Action, or Fathers For Justice, or the Gilets Jaunes, or other organisations and special interest groups that have decided that the "legitimate political process" isn't for them.

                So let's not focus exclusively on the "animal testing" stuff too much, if you please.

                Have a great weekend, toodle pip, tally ho, see you down the Lodge shortly.

                1. Venerable and Fragrant Wind of Change

                  Re: market forces, political processes

                  Exactly. How does JoJoe Public express their dissatisfaction with (e.g.) Crapita?

                  I can give you a real live example there. I bin their regular letters from TV licencing, leaving them forever wasting their effort on chasing me. A very minor thing, but that's all a single consumer can expect to do - if I boycott a particular supermarket as an individual, they'll notice it even less.

                  1. rmason

                    Re: market forces, political processes

                    Great. Well done.

                    So UK.gov pays capita to chase you, they chase you, they get paid. All you're doing is binning a letter.

                    So back to the original point of "How does Joe Public express their dissatisfaction for (e.g) Crapita?"

                    The answer remains: "You can't not in any way, shape or form."

                    binning it makes you feel better, sure. They still get paid, regardless.

            5. fidodogbreath

              Re: late capitalists

              Once consumers start to really care the problem will magically go away. That's how capitalism works.

              Hard to vote with your money when seemingly every company (a) collects mountains of personal data and (b) secures it poorly (if at all).

              1. MachDiamond Silver badge

                Re: late capitalists

                "Hard to vote with your money when seemingly every company (a) collects mountains of personal data and (b) secures it poorly (if at all)."

                It's hard to avoid public information although it should be made hard to access public information in bulk without a petition if you are doing research that needs a large dataset. A gateway that requires some sort of Captcha test for each record and an IP limited number of records per time period would be a good start.

                If you are concerned about your own privacy, take some steps to protect it. Don't sign up for "rewards" cards. Don't enter contests. When asked to fill out a form, stop and think whether what's being requested is relevant for the requestor to know. Get off or stay off social media sites. Use alternate search engines and forgo Chrome at all costs. Lie. A lot. Keep the data and wi-fi turned off on your mobile when you aren't actively using it. Get an old fashioned SatNav for the car instead of using you pocket tracking device (phone). Does the shopping center have Automatic License Plate Readers? Don't go there and send letters to all of the shops why you won't spend your money with them. PAY WITH CASH. Get a post office box for your mail and never have anything sent to your home via common carrier (FedEx, UPS, DHL, etc. They all keep databases that they sell). Big online shops such as Amazon collect and sell everything about you.

                There is lots of information about you that you have no hope of keeping off of lists. That doesn't mean you shouldn't be working to keep from adding to those databases. If the info on you isn't being updated, it's going to be chucked in the bin as past its sell-by date by anybody buying a list. Lots of current data means you are alive and spending money so you are a more lucrative piece of property.

                Equifax in the US blew it big time with their data breach on the vast majority of the US population. Their punishment: paying lawyers a bunch of money but not much else. Everybody affected may, MAY get free credit monitoring. Everybody cheer, free credit monitoring (surveillance). It should have put the company completely out of business and brought on trials for criminal negligence of the executives.The thing is that credit reporting companies are regulated. Companies that compile and sell personal information aren't unless they cross a vague credity sort of line that hasn't really been tested in court. They mostly don't have to tell you about information that they attribute to you nor are they required to correct any information that you tell them is incorrect if you do find out about it. This is where it's good to lie. If they will correct the information, feed them some waste water. Just be sure you aren't volunteering any new information that they don't have.

                Conspiracy: The data is being leaked so somebody in power someplace can point to the breach when they have to say where they sourced some information. A variation on the "stolen laptop" scam.

                Since this data is too well known, it's going to have been picked up by most of the other sleazy data merchants and merged into their databases as well.

                There is a definite line between paranoid and prudent. Don't worry about being called the former when being the latter.

          3. Phil O'Sophical Silver badge

            Re: late capitalists

            "....routine testing of cosmetics etc on animals was a legitimate part of their business operations?...."

            The cosmetics MAY have stopped,

            I doubt it, it's a useful part of the testing.

            In any case, companies like The Body Shop, who make a great fuss over "no animal testing" for their finished products, conveniently gloss over the fact that many of those products can only be sold today because some of the chemicals in them were tested on animals in the past in order to get their approval, so they're still using animal-tested ingredients.

            1. Doctor Syntax Silver badge

              Re: late capitalists

              'Even if the individual components were tested individually it still doesn't mean that their particular combination is safe - a wetting agent may, for instance, increase skin penetration of some other component.

              It's amazing how much fuss they can make over putting gloop in bottles whilst saving the costs of safety checks.

          4. Cynic_999

            Re: late capitalists

            The reason that cosmetics are/were tested on animals is that we humans tend to value our own safety & comfort way, way above that of almost any other living thing. An attitude that is in my opinion perfectly reasonable. It's just the point at which you decide that the benefit to humans is worth risking the life of the animals that is open for debate.

            Treating the lives of everything as being equally important would be absurd. You'd dare not even move for fear of treading on an innocent ant.

            Many people believe that the benefit of having safe cosmetics is not worth the risk of animal testing. There are far fewer people who believe that the benefit of having safe medicines is not worth the risk of testing on animals. Fewer still who believe that the benefit of travelling above walking pace is not worth the annual death toll to the thousands of animals that get run over on our roads each year.

            1. JohnFen

              Re: late capitalists

              "Treating the lives of everything as being equally important would be absurd."

              I don't think that asserting that we should not torture animals counts as treating animals as equally important to people.

            2. Charles 9

              Re: late capitalists

              "Treating the lives of everything as being equally important would be absurd. You'd dare not even move for fear of treading on an innocent ant."

              Isn't that a fundamental part of Hinduism: that to kill even the tiniest insect is wrong, given you may be killing a reincarnated ancestor?

              1. stiine Silver badge

                Re: late capitalists

                As an ant? They had poor karma. Go ahead and step on it.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: late capitalists

                  Plus if being an ant is so very bad, surely it's better to be an ant for a short time?

        2. Doctor Syntax Silver badge

          Re: late capitalists

          "Would that be the same late capitalists that used to think routine testing of cosmetics etc on animals was a legitimate part of their business operations?"

          On the other hand: It's Christmas Winterval. Here's a very expensive mixture we're selling you to give to your nearest and dearest to smear over themselves. It's so dangerous we haven't tested it on animals.

        3. 404

          Re: late capitalists

          No, it's cheaper & far less repercussions using humans nowadays... NDA's, forced arbitration, medical waivers, 'test groups'...

          Disclosure: Have Stage 4 colon cancer and yeah getting worse rather than better.

        4. philebbeer

          Re: late capitalists

          I appreciate what you are saying, but to be fair, it is not the cosmetic companies that want to engage in incredibly expensive animal testing, it is the government that demands animal testing of products to be used on humans. Remember Thalidamide? Only tested on one species, which didn't have a problem with it

          1. Loyal Commenter Silver badge

            Re: late capitalists

            Remember Thalidamide? Only tested on one species, which didn't have a problem with it

            That's not strictly correct.

            The problem with thalidomide is that the compound in question can exist as two different enantiomers (essentially mirror images). One of these was tested and found the be effective as a treatment for morning sickness. It was duly approved and went into production. When being manufactured in bulk, it turned out to be a lot cheaper to manufacture the mixture of both enantiomers, and the company involved assumed that the other enantiomer would be inactive, or harmless - a lot cheaper to manufacture something of 50% purity, assume the other 50% was harmless and double the dose, than to purify a mixture of enantiomers with almost identical chemical and physical properties. Unfortuantely, it turned out that the other enatiomer wasn't harmless and inactive, but that it causes birth defects. As far as I am aware, the "correct" enantiomer is harmless, and effective, but nobody dares market it now due to teh scandal involved.

            This is another good example of why the "free market" requires regulation, and why there are now stringent safety regulations about the purity of medicines. Without regulation for people's safety, free-market capitalism is a race to the bottom, to produce the lowest-quality goods at the cheapest price the market will bear. It makes some people very rich, and everyone else poorer.

      2. Anonymous Coward
        Anonymous Coward

        Re: CheckMate

        Slap them with a $ 1 million fine - Then they will start to take this seriously..

        1. MachDiamond Silver badge

          Re: CheckMate

          $1 million? That's a joke.

          Everything they have and criminal liability for the executives.

          Collecting and maintaining Personal Identifying Information should be fraught with risk for a company and it's executives. The more risky it is, the more valuable the business can be through higher prices for the data. This means that the companies doing it will be more valuable and that 'should' lead to better security practices. Companies that aren't in the business of collecting and selling PII may start thinking that it's too much of a hot potato to have around and delete it when transactions are complete to the extent possible. Obviously, there will be legal requirements to hold on to certain data for a period of time, but if that's the case, maybe it will be locked up in a lead lined safe instead of left out on the counter.

        2. Anonymous Coward
          Anonymous Coward

          Re: CheckMate

          There are a "coalface workers" out there in some companies that make 10x that in yearly bonuses. Even your bog standard average financial asset trading company turns over in excess of $100bn annually and pay $8-15m bonuses to traders. The sums of money moving around the globe daily are absolutely frighteningly huge.

          You want fine them? Screw up once and you pay 40% of the next year's profits to some org body. Second screw up and the company pays zero divvy's to the shareholders, if there's anything left, the cash again goes to some charitable org. Third screw up, sack the CEO and put them inside for 3-6 months.

          Annual AGM, you need to explain to your shareholders why you can't pay the divi's they were expecting this year, trust me nothing scrares companies more than the threat of the shareholders pulling out their invetsments.

        3. rmason

          Re: CheckMate

          A 1 million fine eh?

          How much do you think it would cost them, as a whole entity, to hire highly qualified and experienced security, networking and IT teams?

          Hint; more than a mil, which is why they do what they do. The slap on the wrist is less than the cost of doing it properly. It was ever thus, and that's why we see people operating the way they do.

    2. SWCD

      Re: CheckMate

      "Companies just won’t start taking privacy, safety and security seriously unless there are _serious_ consequences when they fcuck up badly enough."

      Hee hee, they're in China! :-D Different if they were in the UK of course. Here they'd be fined an astronomical amount, then close the business to avoid paying the fine... Meanwhile, the data is out there anyway.. Don't waste the time worrying about it, and give up the shredder.. They're so 1990's.. No-one's going to root around your bin for papers when all your info is online. Free up that hour every-other-Sunday for something more productive.

      Accept that your personal details are out there...

      ...and hope that intimate details DON'T get out there!

      Get used to someone knowing your name, address, DOB, etc.

      ...and hope that Red Tube et al are never broken into :-\

      1. EVP

        Re: CheckMate

        “ hee, they're in China! :-D Different if they were in the UK of course. Here they'd be fined an astronomical amount, then close the business to avoid paying the fine... “

        Yeah, that’s unfortunately often the case. What is even more unfortunate is that quite a few companies established in our very own western countries treat their customers unlubricated. Why don’t we start with them?

        1. SWCD

          Re: CheckMate

          Happy to, but can't help imagine it'll get to the point where someone with deep pockets will have a lawyer arguing something like -

          "It's true X data was stolen, BUT, there's some very similar datasets out there already! Yes, the baddies got name/address info from us, but that was already public knowledge! All they got from us in addition to that was the amout of their last phone bill. That's hardly private information!"

      2. TimMaher Silver badge
        Facepalm

        Re: CheckMate

        I've just bought a new shredder. £25 cost.

        Bummer.

      3. Doctor Syntax Silver badge

        Re: CheckMate

        "Here they'd be fined an astronomical amount, then close the business to avoid paying the fine."

        In which case their failure to read the fine print of the DPA would come as a nasty surprise to them. Yes, officials can be held responsible.

      4. JohnFen

        Re: CheckMate

        Checkpeople is not in China. It's in the US.

      5. spold Silver badge

        Re: CheckMate

        Yes, in China the regulators can detain company officers in a Chinese jail while they investigate a breach. The regulator fines are only US$ 150K plus, so the jail possibility is much more motivational.

        No to the personal details in some cases... if you happen to have an estranged spouse who might come around and kill you, or are a police officer/ undercover drugs agent etc. then your name and address can be quite sensitive; but then again, you are hopefully not in the phonebook in those cases (which is what this data seems to be mostly).

    3. NeilPost Silver badge

      Re: CheckMate

      https://www.theregister.co.uk/2019/07/08/ico_threatens_ba_with_huge_fine_for_huge_data_loss/

      https://www.theregister.co.uk/2019/07/09/marriott_hotels_ico_fine_intention_99m_starwood_breach/

      It’s started and well done to them.

      I hope the UK ICO also fine the ass off the UK Government for robbing the EU Schengen Database and giving a copy to US Spooks.

      1. Evil Harry

        Re: CheckMate

        "I hope the UK ICO also fine the ass off the UK Government for robbing the EU Schengen Database and giving a copy to US Spooks."

        I don't - it'll be the poor taxpayer footing the bill again.

        1. JimmyPage Silver badge
          Stop

          Re: UK Government for robbing the EU Schengen Database

          Er, WTF was the UK - proudly not and never going to be a member of Schengen - doing with a copy of that database ?

          1. MJB7

            Re: UK Government for robbing the EU Schengen Database

            Some parts of the Schengen database are to do with security, and those are shared with all member countries of the EU.

          2. Loyal Commenter Silver badge

            Re: UK Government for robbing the EU Schengen Database

            Schengen isn't what you think it is, and certainly isnt what the Daily Heil has told you it is...

            (disclaimer - "you" here doen't necessarily mean you personally, but signifies a general misunderstanding by the public)

        2. Anonymous Coward
          Anonymous Coward

          Re: CheckMate

          You will probably find that the UK government has a member exemption for 'security purposes'. That kind of thing won't fly with 3rd countries so the will need to rectify before the end of the year anyway to get an adequacy decision.

    4. Bruce Ordway

      Re: CheckMate

      >>greedy, stupid and incompetent people...checkmate

      Checkmate...I wish.

      I'm still waiting for a resolution to a personal data fiasco at Equifax.

      As far as I know, the only thing the US government has done since has been to award new contracts to Equifax.

    5. Cynic_999

      Re: CheckMate

      "

      In my view it is a privilege to be able to own a business, run it and make money.

      "

      While running a business carries different responsibilities, risks and rewards than other roles, I don't agree that it is any more a priviledge than being an employee - or even a parent.

      1. Charles 9

        Re: CheckMate

        There are those who believe parenting should require education and a license.

    6. Anonymous Coward
      Anonymous Coward

      Re: CheckMate

      This is why it’s taken more seriously in Europe - under GDPR legislation

      A company doing this in Europe would face a stiff fine - for a breach of this scale - at least half a million dollars..

      It’s not until you do this type of thing that it’s taken seriously...

      It’s been proven time and again that companies are cavalier with other people’s information..

      1. Charles 9

        Re: CheckMate

        They'll just find a way to lawyer around it.

  2. NoneSuch Silver badge
    Go

    Lord Almighty.

    Some security guy is getting fired...

    1. Mark 85

      Re: Lord Almighty.

      Probably some intern. Then will follow the usual statement about taking security and privacy very seriously, yada, yada.

      Meantime the board will pat themselves on the back for cutting costs by putting the data in China with bonuses all around.

      1. Anonymous Coward
        Anonymous Coward

        Re: Lord Almighty.

        "Then will follow the usual statement about taking security and privacy very seriously, yada, yada."

        Actually, and this would be breaking news, they even don't care about issuing the std.h statement !

        They really don't give a damn !

    2. YourNameHere

      Re: Lord Almighty.

      More likely some engineer send data to his boss. But seriously, if you think you have any chance of privacy in the Wild West Web, you are sadly(or maybe happily) living in a imaginary universe...

    3. Version 1.0 Silver badge

      Re: Lord Almighty.

      Remember Equifax, they will probably retire with a big golden parachute

    4. Antron Argaiv Silver badge

      Re: Lord Almighty.

      That assumes they *have* a security guy.

      I predict that "CheckPeople" consists of a CEO, a couple of "business types" to keep the records and (maybe) pay the taxes, and a couple of knowledgeable folks to move the data around -- run the scraper scripts and move the data to the cheapest "cloud" servers they could find (in China, natch).

      Their business plan consists of accepting credit card payments and serving up whatever they have.

      If they're ever called to account, they'll try to vanish. Of course, the Florida address may be just a mail drop/lawyer's office/credit card processing site and the whole thing is a Chinese operation from start to finish run through some kind of US LLC which exists only on paper for apparent legitimacy.

      1. Antron Argaiv Silver badge

        Re: Lord Almighty.

        The reviews on this site seem to support my hypothesis:

        https://www.sitejabber.com/reviews/checkpeople.com

      2. Halfmad

        Re: Lord Almighty.

        Also the security guy could well have been pointing and shouting about this for years, from my experience..

  3. Dan 55 Silver badge
    Go

    CCPA

    Presumably they can now be sued into oblivion under California's new privacy law which came into force this year. Should be interesting to watch.

    1. phuzz Silver badge

      Re: CCPA

      I assume that law can't be applied retroactively though?

      1. Killfalcon Silver badge

        Re: CCPA

        True, but they don't seem to have stopped (cite: this article we're commenting on), so they can be done for any current breaches.

    2. Woodnag

      be sued into oblivion? No

      California's new privacy law doesn't have a right of private action.

      1. Dan 55 Silver badge

        Re: be sued into oblivion? No

        Have I read this wrong?

        What is the Risk, Under the CCPA, if a Company Has a Data Breach?

        An injured consumer may sue for statutory damages or actual damages, injunctive relief, or declaratory relief. A consumer must provide a written notice to cure the violation before bringing action if they are seeking statutory damages.

        Also, class action seems to be allowed.

        1. Woodnag

          Re: be sued into oblivion? No

          ...provision of the CCPA allows businesses the opportunity to avoid a consumer suit under the private right of action provision by “curing” the violation of “its duty to implement and maintain reasonable security procedures and practices” that resulted in “unauthorized access and exfiltration, theft, or disclosure” of the consumer’s personal information. To pursue statutory damages under the CCPA, would-be plaintiffs must first provide the would-be defendant business with 30 days’ written notice that the data security provision of the CCPA has been violated. Id. § 1798.150(b). The business then has 30 days to “cure” the violations and provide the plaintiffs with “an express written statement that the violations have been cured and that no further violations shall occur.” Id. If the business does so, then the plaintiff may not request statutory damages in a subsequent suit.

          https://www.jdsupra.com/legalnews/a-closer-look-at-the-ccpa-s-private-28984/

          1. Dan 55 Silver badge

            Re: be sued into oblivion? No

            I think it would be quite easy to argue that whatever the business has done, it has not cured the damages from having a DB with data about 72 million people accessible from the open Internet during an unknown amount of time but that is for the court to decide.

            1. Dan 55 Silver badge

              Re: be sued into oblivion? No

              And no, I don't know why I said 72 million people instead of 56 million.

  4. IGotOut Silver badge
    WTF?

    Agggghhhh!

    "It's a perfect illustration that not only is this sort of personal information in circulation, but it's also in the hands of foreign adversaries."

    If if was hosted in a sealed bunker of the NSA, surrounded by nuclear tipped missiles, which themselves were guided with laser equipped sharks all wearing camouflaged tutus, it makes no difference if it's wide open on the internet!

    1. the Jim bloke
      Big Brother

      Re: Agggghhhh!

      If if was hosted in a sealed bunker of the NSA... it would not be a foreign adversary, and thats what matters, right?

      1. dnicholas

        Re: Agggghhhh!

        If you're not American, America probably is a foreign adversary. Maybe not today but all it takes is a Twitter spat with the Toddler in Chief

        1. JohnFen

          Re: Agggghhhh!

          And if you are an American who doesn't happen to be on board with Trump, you're still an adversary as far as much of the government is concerned. Maybe not a foreign one, but I don't think that's an important distinction to them.

      2. Robert Carnegie Silver badge

        Re: Agggghhhh!

        As I'm about to tell the editor, I hold no brief for the fiendish Chinese but not everybody foreign is an adversary, either.

        The NSA probably is everybody's adversary but, to be fair, that's sort of their job.

    2. OssianScotland
      Coffee/keyboard

      Re: Agggghhhh!

      "laser equipped sharks all wearing camouflaged tutus"

      First new keyboard of 2020!

      (alternatively, mindbleach to remove the image from my - deranged - mind)

  5. razorfishsl

    It is not just this,

    there is also a site that is tied into those "video" doorbells, and "video security" systems

    sitting in China in Shenzhen....... that appears to be totally unsecured.. it even uses a HTTP front end to log in.....

    I found it the other day looking at the traffic from a product I recently installed.....

    1. MachDiamond Silver badge

      There are web sites that spider all of those video doorbells and internet baby cams. Many of those products have come with hardcoded credentials in the firmware that never gets updated or can't be updated.

      I picked up a couple of alarm company IP security cameras from the second hand shop and they were dead simple to hack.

  6. veti Silver badge

    To answer your title:

    ... Because hosting is cheaper there.

    Duh.

    1. Anonymous Coward
      Anonymous Coward

      Re: To answer your title:

      >... Because hosting is cheaper there.

      Hosting a 22GB DB on AWS would cost somewhere around $2-3 per month (EBS 30GB volume). Pretty sure if a company needs to save that much it isn't going to be in business for long...

  7. Anonymous Coward
    Anonymous Coward

    As long as it’s just Americans

    After all that's the country that thinks it owns the Internet.

  8. Anonymous Coward
    Anonymous Coward

    yawn.....and yes I am sure some foreign government knows that I yawn every day at precisely the same time

  9. Anonymous Coward
    Anonymous Coward

    And closer to home?

    What about the "76m items of information" illegally copied from the Schengen database by a non-Schengen, soon to be non-EU country?

    Glashäuser und so.

    1. renniks

      Re: And closer to home?

      Yep - if/when UK does leave the EU, I would hope that all access to the database is cut off.

    2. Anonymous Coward
      Anonymous Coward

      Re: And closer to home?

      Did you read the article? I'm underwhelmed.

      UK security services copied part of a database about criminals and contraband. Oh wow.

      UK border guards don't police people leaving the UK only entering it. Yes, that is basically their job.

      US contractors may have copied data to the US. That is not the same as the UK giving the data to the US.

      Level of skullduggery, 2/10

      Must try harder.

      1. Anonymous Coward
        Anonymous Coward

        Re: And closer to home?

        > Did you read the article?

        Yup. And understood it too.

      2. Lee D Silver badge

        Re: And closer to home?

        "US contractors may have copied data to the US. That is not the same as the UK giving the data to the US."

        In the eyes of UK and EU law, that step you missed is more important and damning than anything else.

        You cannot just give that data, covered under UK or EU DPA's, to foreign contractors. That's literally illegal, and even with an "agreement" in place if the data is ever exposed YOU are liable for all the fallout (and the very act of allowing it may be illegal whether or not it's exposed).

        This has been drummed into everybody who deals with DPA or GDPR for years now. You can't just say "Wasn't us". You gave it to them. You shouldn't have. No matter what promises were made to you, it's YOUR responsibility. If you've been irresponsible, expect major fallout as if you'd done it yourselves (but actually worse than that, because it wasn't incompetence, it was basically deliberately done against all advice).

        You can't give UK/EU data to other countries, it's that simple, and every person you give it to is your responsibility no matter who they are.

        1. Charles 9

          Re: And closer to home?

          Even if the other country MANDATES it...by THEIR law...AND their mandate falls under CRIMINAL law, too (meaning they carry the graver threat of bars)?

          1. Ken Hagan Gold badge

            Re: And closer to home?

            Yes.

            1. Charles 9

              Re: And closer to home?

              I still say they'll look for a way to lawyer around it. That's what lawyers are for, after all. I mean, why haven't we seen any really BIG judgments stick as of yet?

          2. Loyal Commenter Silver badge

            Re: And closer to home?

            Even if the other country MANDATES it...by THEIR law...[etc]

            Foreign law has no jurisdiction in the UK, and only a damn fool would enter into a treaty where such things are applied unequally.

            If the UK govt. obtains data illegally in the EU, then as a current member (still) of the EU, the law has been broken here.

            Passing the data onto any party that then passes it onto a non-EU country that is not covered by a treaty with the EU that allows such (such as the US) is a breach of that law.

            When we leave the EU, depending on what agreements have been reached, we may be in the situation where the law hasn't been broken here. I would think, though, that the EU negotiators would use this as a bargaining chip. I would.

            Once we have left the EU, the laws in the other 27 member states will still have been broken. The government, or thsoe responsible, could still be prosecuted in any of those countries. If they refuse to pay the fines, then those responsible could have their foreign holidays rudely interrupted and find themselves languishing in such insalubrious places as Kalamata prison (like those idiot "plane spotters" a few years ago who thought it would be a great idea to go photographing the rusting fighter jets parked up in the "military installation" that is Kalamata Airport).

    3. Doctor Syntax Silver badge

      Re: And closer to home?

      To be fair why should they expect UK police forces to be any more scrupulous in handling somebody else's database when they persistently fail to delete data they've been told to delete by UK courts.

  10. William Higinbotham

    Free?

    I want to get my information for free. What is the ip address? But if I have to download the whole database first, forget it.

  11. martinusher Silver badge

    Surely we're not at war yet?

    I deon't like the way that 'adversary' is bandied about these days as if the world only consists of two groups -- 'allies', the people who are in lock step with us, and 'adversaries', our sworn enemies. Life wasn't like that a few years ago when it was all Globalization, Brotherly Love in The Search For The Almighty Dollar, but since then we've had to deal with Trump's Trade War which has divided the world into 'us' and 'them'.

    The Chinese, like anyone else, offers cloud services to customers. Custtomers have typically not cared where or how their data is stored -- that's the whole purpose of 'cloud', after all. The fact that that data ends up on a server in China and probably passes through all sort of other nations to get there is just the way the Internet works. If you want your data to be secure then you have to secure it, no matter where its physically stored, because storing insecure data in a 'friendly' country won't save you.

    1. NATTtrash
      Big Brother

      Re: Surely we're not at war yet?

      "We have always been at war with EastAsia."

    2. Anonymous Coward
      Anonymous Coward

      Re: Surely we're not at war yet?

      Your TDS is showing.

    3. Carpet Deal 'em

      Re: Surely we're not at war yet?

      but since then we've had to deal with Trump's Trade War which has divided the world into 'us' and 'them'.

      I think you've got it the wrong way around: if it weren't for the use-or-them mentality, that trade war never could have started in the first place.

    4. JohnFen

      Re: Surely we're not at war yet?

      "Adversary" != "enemy".

  12. Scott 26
    Coat

    Yeah, right

    >You would think a company trafficking in

    >personal records would care a bit more about being able to be reached.

    Who are you, and what have you done with the real Mr Nichols.

  13. Anonymous Coward
    Anonymous Coward

    Chinese takeaway

    Red Alert

  14. Anonymous Coward
    Anonymous Coward

    How long before all our NHS data appears there too ?

    Exfiltrated to USA by BJ Scrutiny Limited then further Exfiltrated to anywhere else in the world prepared to pay the Bung for the dataset.

    1. Anonymous Coward
      Anonymous Coward

      Re: BJ Scrutiny :)

      "all our NHS data"

      I thought BJ and his technical badvisors had already sorted the first major AI-inspired deals on that subject, and the news was out last year? DeepMined or something, wasn't it? Google will tell you about it.

      Bread and circuses, boys and girls. Bread and circuses. I ain't got no bread, and this ain't my kind of circus, but some people will do well out of it.

      1. Anonymous Coward
        Anonymous Coward

        Deepmined: not last year, maybe 2017 (if not earlier).

        https://www.theregister.co.uk/2017/07/05/deepmind_needs_to_think_about_the_broader_implications_of_its_tech_report/

    2. Colin Miller

      Re: How long before all our NHS data appears there too ?

      Somehow I read the name as "Bergholt Stuttley Johnson"

      1. Venerable and Fragrant Wind of Change

        Re: How long before all our NHS data appears there too ?

        Nostradamus didn't foresee our current prime minister by name.

        The late Sir PTerry, on the other hand, got him exactly right, long before most of us saw the threat.

        1. Nick Ryan Silver badge

          Re: How long before all our NHS data appears there too ?

          If you want to see an even scarier prediction of things, try reading the Boomer Bible...

  15. Anonymous Coward
    Anonymous Coward

    reach a human at CheckPeople

    Thank you very much for your inquiry. We are DEDICATED to helping our customers and we will pass your inquiry to Senior Inquiry Automated Reply System Ninja Bot. In the meantime we thank you for your continuing custom. Have a nice day!

    1. Anonymous Coward
      Anonymous Coward

      Re: Senior Inquiry Automated Reply System Ninja Bot

      surely Senior Head of Information Technology?

      1. Sanctimonious Prick
        WTF?

        Re: Senior Inquiry Automated Reply System Ninja Bot

        The same person that developed the Subaru F.U.C.K.S?

        https://www.gizmodo.com.au/2020/01/subaru-f-u-c-k-s/

  16. jimdandy

    "We are Devo"...and your devolution is coming.

    1. Anonymous Coward
      Anonymous Coward

      +1 for the reference

  17. leenex

    China

    If this isn't fixed soon, China will use it to get the UK to secede from the EU, or worse. They might try to get an Orange Goblin elected president of the USA.

  18. Anonymous Coward
    Anonymous Coward

    "foreign adversaries"

    Good grief, what is this, the 1980s? Oh no, not those commiebastard foreign adversaries! Pearl clutch!

    Seriously, while China will of course have plenty of data on everyone everywhere, I'd actually feel *a lot safer* if only 'foreign adversaries' (or in less hyperbolic words, 'other nation states') had the kind of data Facebook, Google and Amazon have. For one thing, China doesn't have much in the way of motive to act on my browsing history or recent purchases, and for another, they don't actually have the same means to manipulate me in response to that data. And at least if China - or another nation - abuses 'private' data to do harm, the wronged nation can fight back. I can't imagine we're going to see drone strikes on Zuck, Bezos, Page or Brin any time soon.

    1. WilliamBurke

      Re: "foreign adversaries"

      The problem is not that they are commies (they aren't, btw; they are a crony-capitalist one-party dictatorship), but that they are after our wealth and our jobs.

      That China is not currently known for using private data to meddle in other countries on a large scale may just mean they are better at hiding it, and they could ramp it up any time. Russia is doing it quite openly, without any obvious consequences. "The wronged nation can fight back"? So far they don't.

      Of course the abuse by FB, Google and friends is just as bad or worse, but that there are murderers out there doesn't make common assault any more acceptable.

      1. Anonymous Coward
        Anonymous Coward

        Re: "foreign adversaries"

        I'm aware they aren't communists, read the context.

        How do phone numbers and street addresses help other countries steal jobs and wealth?

        Just because a wronged nation doesn't fight back, doesn't mean they cannot. Please, tell me how you'd go about declaring war on a social network or online commerce company.

        Given that I said I'd *prefer* all data to be in the hands of a 'foreign adversary', is it not possible for you to surmise that I'm neither arguing such a situation would be desirable, nor suggesting that the current situation is ideal? That's a rhetorical question: I'm sure you're perfectly capable of working that out, but straw men are just so much easier to argue against. Have a great decade.

        1. Toni the terrible Bronze badge

          Re: "foreign adversaries"

          War against commercial organisations. No problem; sabotage or state sponsored terrorism, or send 007 to 'reason' with Bezos etc Then again black drone strikes on annoying sod's server farms / offices / campuses is possible. That is if they annoy the wrong/right goverment enough.

          1. Anonymous Coward
            Anonymous Coward

            Re: "foreign adversaries"

            "War against commercial organisations. No problem"

            Life is not a James Bond movie, my friend. Those companies are powerful enough, and self-sustaining enough, to be like the mythic hydra: kill whichever CEO you like, they will just be replaced, and it won't stop their company from operating (at least, not for long). And once they find out which country did it, the repercussions won't be pretty.

            1. Kiwi
              Paris Hilton

              Re: "foreign adversaries"

              And once they find out which country did it, the repercussions won't be pretty.

              Oh? Do pray tell, which companies have the military might to even match New Zealand, let alone to go up against China or Yankeeville? Which companies are strong enough that "the repercussions swon't be pretty" when they go to war against the US, or China, or Russia, or the UK, or Ozzie, or NZ....?

              Come on young master Char, er young fellowmelad, do tell...

      2. Nick Ryan Silver badge

        Re: "foreign adversaries"

        The problem is not that they are commies (they aren't, btw; they are a crony-capitalist one-party dictatorship), but that they are after our wealth and our jobs.

        yeah, about that crony-capitalist one-party dictatorship... a certain nation famous for using hollywood to tell the world about what an amazing democracy it is is working towards this noble aim. As is the lap-dog political regime the other side of the pond which for some reason wants to emulate all the worst bits of everywhere else.

    2. JohnFen

      Re: "foreign adversaries"

      "Seriously, while China will of course have plenty of data on everyone everywhere, I'd actually feel *a lot safer* if only 'foreign adversaries' (or in less hyperbolic words, 'other nation states') had the kind of data"

      The data is unsecured and available to the whole internet. The problem isn't so much that China has it, it's that anyone could have it.

      1. Anonymous Coward
        Anonymous Coward

        Re: "foreign adversaries"

        "The problem isn't so much that China has it, it's that anyone could have it."

        I would normally agree, except for the fact that my whole point was taking issue with the unnecessarily sensationalising reference to 'foreign adversaries' in the article.

        1. Anonymous Coward
          Anonymous Coward

          Re: "foreign adversaries"

          Unless you're an absolute nobody, you're incorrect. If you are important in any way, someone who knows everything about you can use that information against you.

          As an example, what if someone identified everyone who supports the network at Airbus, and deciced that they'd be able to compete better if those folks were all fired? Hack Airbus, id their computers, have a self-deleting GPO push incriminating data to their machines, followed by an email to HR.....wham, no more network admins at AIrbus. Obviously it would be more complicated than this but you seem to think that you're immune.

  19. TimMaher Silver badge
    Headmaster

    Ted Codd

    I dont really know NoSQL but, considering the description of the data being exposed, you would have thought that they would have used a fully relational database and third normal form.

    1. Doctor Syntax Silver badge

      Re: Ted Codd

      Too much like hard work.

      1. Richard 12 Silver badge

        Re: Ted Codd

        And their business model doesn't depend on the data being up-to-date, de-duplicated, accurate or even vaguely related to any persons, living or dead.

  20. JimmyPage Silver badge
    Boffin

    ... but it's all publically available anyway ?

    The problem is more it's aggregation and integration. Which leads to an interesting - and very valid - legal question about whether anything intrinsically illegal has gone on ? And if so, at what stage ? The actual gathering (of public data ?). The aggregation ? The integration ? Or the scale ?

    1. Doctor Syntax Silver badge

      Re: ... but it's all publically available anyway ?

      If you published their integrated version of it their lawyers would be very quick to explain to you the difference between what's in that and the separate publicly available data bases - and complain you were infringing their copyright.

      1. MachDiamond Silver badge

        Re: ... but it's all publically available anyway ?

        "and complain you were infringing their copyright."

        The DB would have to have some made up entries to qualify for Copyright. A compendium of factual information is not eligible for Copyright protection. There's some very funny case law on this. Georgia (the state, not the country) has been trying to assert that their laws have a copyright. Check Steve Lehto on YouTube for commentary on that one.

        1. Doctor Syntax Silver badge

          Re: ... but it's all publically available anyway ?

          "Check Steve Lehto on YouTube for commentary on that one."

          Actually, I'd rather check the text. It's at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31996L0009&from=EN but the summary is here: https://en.wikipedia.org/wiki/Database_Directive

  21. Anonymous Coward
    Anonymous Coward

    "but it's being served from an IP address associated with Alibaba's web hosting wing in Hangzhou, east China, for reasons unknown"

    I'd like to solve the riddle: the Alibaba bitbucket was cheaper.

  22. Mike 137 Silver badge

    "Why is a 22GB database [...] sitting on the open internet "

    Because nobody is thinking beyond their immediate concern of the moment when implementing anything these days. If the DB is in a cloud respository, it's the result of Fire and Forget Outsourcing.

    This ain't specifically about privacy - it's about governance (absence of it).

  23. Anonymous Coward
    Anonymous Coward

    Do people really believe...

    ...that the Chinese, the Russians, even Iran have not had their money markets infiltrated a long long time ago. Hong Kong ffs? Do people really think its us vs them?

    If I was going to consolidate my mega wealth across the globe, I'd probably abandon all concept of nationality and put my money everywhere.

    That way I can play all sides of of each other.

  24. GarfieldLeChat

    Anyone want to tweet the toddler in chief?

    Let's tell him his details are on there and see how quickly this is resolved...

    1. Toni the terrible Bronze badge

      Re: Anyone want to tweet the toddler in chief?

      The TIC is in bed with them anyway. Not that he would understand it or care as long as he was getting his cut.

  25. Jake Maverick

    My first real job str8 out of University was working for BT. I was involved in the role out of what they called PhoneNetUK.....they got permission from some little known govt agency to break the DPA.

    So, basically everybody's name and address got published on the Internet. Many folks complained about that....repeatedly....until they got murdered. The staff dealing with these complaints thought that was hilarious....

    At a MINIMUM several thousand people got murdered, kneecapped, stabbed, beaten up...and they're just the one's I got to hear about. The most famous of which was Jill Dando....

    Talking about/ campaigning on these things also got me ass raped in mental prison for six months. As well as a lot of other bad **** happening to me.....stole my identity for one. Been homeless and destitute ever since....basically kept as a slave to pedophiles. 14th Anniversary was the 6th of January for me.

    So how can we put a stop to these things? Well, you're not allowed to talk about that for legal reasons.

    1. Ken Hagan Gold badge

      14 years destitute and homeless but a 6 year posting history on El Reg?

      1. rmason

        Quick glance at the posting history and...EEEK!

        Wow, lot to unpack there. Everything from MK ultra to conspiracies about the chips in cats and dogs giving them cancer.

        Every opportunity taken to mention the police / state raping everyone.

        Get caught with questionable material did we? again: EEEK.

  26. disgruntled yank

    What has changed?

    The information is out there now for free, while one once had to pay. CheckPeople looks stupid--I don't know whether that's a change.

    1. tim 13

      Re: What has changed?

      Tis true.The Chinese governent (or whoever) could have still got the same info if the DB was fully secured on a US server, they's just have had to pay Checkpeople for it. There's no loss of security of data, just a loss of revenue for CheckPeople

  27. Daniel Hall
    Mushroom

    The world wide web is a cancerous piece of crap these days

    Sort of related.

    Every time I login to this website, I get a warning via Chrome that my account may have been compromised.... anyway..

    Are you at all shocked by the article?

    A company wants to make money. - Tick!

    Said company doesn't give a crap about your privacy! - Tick!

    This is the internet these days folks, get used to it.

    1. MachDiamond Silver badge

      Re: The world wide web is a cancerous piece of crap these days

      "Every time I login to this website, I get a warning via Chrome that my account may have been compromised.... anyway.."

      That's because you are using Chrome. It's not a warning, it's just an FYI.

    2. rmason

      Re: The world wide web is a cancerous piece of crap these days

      Chrome is telling you that your username and/or password are contained within leaks of usernames and passwords.

      Listen to it, and change your password(s)

  28. Anonymous Coward
    Anonymous Coward

    I blame systemd.

    ^ obvs.

  29. ProperDave

    Back in the early 2000's when working for a major IT firm dealing with mainstream news and early social media, I created and the company patented a series of spiders to crawl the web looking for public profiles on websites. The thing was designed to self-learn using some rudimentary NLP. Data collected was processed so profiles across multiple sites could be linked to identify individuals based on common profile elements (username, profile pictures, declared location and interests etc, and some basic writing style analysis using NLP). User profile combinations were scored on how likely it was that two or more profiles were the same individual.

    The best example was where the tool found one person on 44 different web sites, including CV sites and this guy's various interests. All the data mined was openly public and not restricted in any way besides your standard robots.txt file.

    The project was never released onto the market. The Legal department decided it was 'too legally grey'. But it was demoed to several of the company's customers, including government departments and think tanks.

    I wouldn't be surprised if services exist today that do the same thing.

  30. Anonymous Coward
    Anonymous Coward

    >on the public internet

    Link, plox?

    Asking for a friend..

    (Why yes, full disclosure is a thing.)

  31. Cynic_999

    Privacy concerns is not ONLY about having your data stored ...

    Your private data has to be stored by many different companies and agencies, and I have no problem with that in principle.

    The big concern however is having a whole heap of data dealing with many different and unrelated aspects of your life that is easily accessible (and searchable) by a single person or machine. This is when algorithms can be used to look for patterns - often adding 2+2 and coming up with 5.

    My travel history, online purchasing history, previous addresses, credit card score, medical history, utility usage, what licenses I hold, any criminal records, my social media contacts, all my family members, what films I have downloaded, what newspapers I read, what YouTube videos I have watched, what languages I speak, which radio and TV programs I prefer, what groceries I buy, which places I visit to socialise and be entertained, my income and outgoings etc. etc. ... these may well all be stored in the databases of various companies and organisations - but it should not be possible for anyone to easily access all those things at the same time because this is when computer algorithms can and inevitably will be used for both specific and speculative searches that result in all sorts of incorrect "hits" and "profiles". The government's wet dream of having everyone's personal details stored in a single indexed central database is extremely dangerous - and is the biggest objection I had to the national ID card. i.e. not the card itself, but the database that would be created behind it.

    1. MachDiamond Silver badge

      Re: Privacy concerns is not ONLY about having your data stored ...

      Start to really be afraid when the listing details your children, where they go to school, their teacher's name, grades, disciplinary reports, MAC address of the laptop or tablet they were issued, etc.

      Target (a store in the US) was doing some shopping pattern analysis by rewards card customers and with pretty decent accuracy, they could tell when a woman got pregnant. The idea was that they could start sending them coupons and targeted ads. This backfired a bit when the woman turned out to be a teenage girl and her father was not happy about her getting all of these ads and coupons. He hadn't been told and when he learned his daughter was with child, he had to return to the local store and apologize to the manager. (bonus points to this guy for that). The details of your shopping could be telling tales on you that it takes a computer to figure out. The downside is there are computers being tasked with just that.

      A few details about a person can be just the smallest thread that when pulled, unravels the sweater. Look to the spy novel and political fiction writers for all sorts of ideas.

      Another bad idea that people are forced in to is toll road transponders. 2600 magazine had an article some years ago where they were showing the readers in far more places than just on the toll roads. They didn't cause a charge against the account, they just noted that the car passed by. I hope you aren't keeping anything from your spouse that your travel log might shed light on. Oh right, you were "working" late. Sure.

  32. Anonymous Coward
    Anonymous Coward

    If the data is published to the world so....

    ... it is public domain, that a company organised it into a format that they could sell is clearly not an issue where the company resides, some third party using the same data in a different area without anyone's permission is again par for the course.

    If this data is unnecessaily damaging to the individuals, that is very much why it was published, if you think it is wrong to punish someone forever then stop publishing it

    That it is a Chinease site is irrelevant unless you get paid to report it and/or you believe that only a select group should be allowed to control the data that your country published to the world.

  33. Anonymous Coward
    Anonymous Coward

    Comparison with Europe & GDPR

    So this company allowed 56 million personal address details about US citizens to leak - and has not bothered to respond.

    In the UK, British Airways had a similar data leak of half a million customers and was fined £ 183 million under GDPR legislation.

    I don’t know exactly what difference there may have been in the type of info leaked.

    But it’s at least indicative that GDPR legislation has teeth..

    The US needs something like this..

    Perhaps point out to you senators that their personal info has been leaked by this company - then maybe they will take some action about it.

  34. bill o

    There are reasons

    So instead of just fear mongering, have you actually confirmed the server is in China or is it just using Chinese IP space? you can run redirectors and it is very common for companies to use address space that is not the same as their server's country of origin due to how the internet works.....

    1. Grunchy Silver badge

      Re: There are reasons

      What dya mean, like a VPN or something?

  35. Grunchy Silver badge

    You lie, you never found nuthen

    Where's the smoking bodies, that's what I want to know.

  36. razorfishsl

    Anyone who thinks the China cloud suppliers are not ensuring that data they store outside of China is not available IN china is a fucking idiot.

    It is all a massive data gathering exercise....

    from the facial recognition to the cloud servers linked to China supplied door video systems.

    Dumb shits just keep putting the data in and lovin the cheap cheap price.....

  37. Asok Asus

    "We have withheld further details for privacy protection reasons."

    uh, since that makes it impossible to verify that this supposedly open-to-the-public database even exists, how do we know that hacker "lynx" isn't just making this up?

  38. William Higinbotham

    Where is the Proof

    So I went through the feed here. Still no IP address to prove that this article is true. How do we know that the IP may not be that in China but in the back door of NSA or some other US Cyber Warfare/Security site?

  39. n9netails

    Unbelievable

    Literally unbelievable. Where is this database? Prove it by sharing the IP.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like